[dns-operations] All dual-stack DNS servers - any problem with it?
Mark Andrews
Mark_Andrews at isc.org
Wed May 16 21:31:16 UTC 2007
> * Mark Andrews wrote:
> > The roots would start dropping glue for plain DNS queries
> > once the name to be looked up exceeds 97 characters.
> >
> > For comparision a minimal referral to COM is 509 octets
> > and glue records are dropped once the name to be looked up
> > exceeds 7 characters. i.e. just about every referral from
> > the root to the COM servers has incomplete glue.
>
> Comparing with a signed root:
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;www.isc.com. IN A
> ;; AUTHORITY SECTION:
> com. 172800 IN NS M.GTLD-SERVERS.NET.
> com. 172800 IN NS C.GTLD-SERVERS.NET.
> com. 172800 IN NS G.GTLD-SERVERS.NET.
> com. 172800 IN NS D.GTLD-SERVERS.NET.
> com. 172800 IN NS H.GTLD-SERVERS.NET.
> com. 172800 IN NS E.GTLD-SERVERS.NET.
> com. 172800 IN NS J.GTLD-SERVERS.NET.
> com. 172800 IN NS K.GTLD-SERVERS.NET.
> com. 172800 IN NS A.GTLD-SERVERS.NET.
> com. 172800 IN NS L.GTLD-SERVERS.NET.
> com. 172800 IN NS I.GTLD-SERVERS.NET.
> com. 172800 IN NS F.GTLD-SERVERS.NET.
> com. 172800 IN NS B.GTLD-SERVERS.NET.
> com. 86400 IN NSEC COOP. NS RRSIG NSEC
> com. 86400 IN RRSIG NSEC 5 1 86400 20070602180233 (
> 20070504062106 64955 .
> nozkc1CpRti7BmZyy0N4fbuozqDI2lEWhAyLxXrgbi29
> WDSPNK/yRwOjdDImNbffaJAYA8t0Jc/Ampt+QeedtH0t
> tTBztoG9nQ0OmDyhHZFc1zuMYUZY1Z3Miq0TvYB8TfUT
> zVQX7xG76xyQpZcrODDdfrQSRO39mW6du/udQiqiWu9v
> c4PtzmNm/B0gpEokLXf8kExdtaxL1J/gAV22sc9AoQGV
> 9mzAsEOEpZGdAxx/XLes2gbx98LzK6euffqrt6cvTy7l
> LQb57FNDLurTTctbH0WQIP/iEFEgqb5Uw/GcKVrZHg3R
> lALfhKSRo9FnxRD7ggwLsaFPqH2GKVld4Q== )
> ;; ADDITIONAL SECTION:
> A.GTLD-SERVERS.NET. 172800 IN A 192.5.6.30
> A.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:a83e::2:30
> G.GTLD-SERVERS.NET. 172800 IN A 192.42.93.30
> H.GTLD-SERVERS.NET. 172800 IN A 192.54.112.30
> C.GTLD-SERVERS.NET. 172800 IN A 192.26.92.30
> I.GTLD-SERVERS.NET. 172800 IN A 192.43.172.30
> B.GTLD-SERVERS.NET. 172800 IN A 192.33.14.30
> B.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:231d::2:30
> D.GTLD-SERVERS.NET. 172800 IN A 192.31.80.30
> L.GTLD-SERVERS.NET. 172800 IN A 192.41.162.30
> F.GTLD-SERVERS.NET. 172800 IN A 192.35.51.30
> J.GTLD-SERVERS.NET. 172800 IN A 192.48.79.30
> K.GTLD-SERVERS.NET. 172800 IN A 192.52.178.30
> E.GTLD-SERVERS.NET. 172800 IN A 192.12.94.30
> M.GTLD-SERVERS.NET. 172800 IN A 192.55.83.30
> ;; Query time: 4 msec
> ;; SERVER: 2001:4bd8::1053#53(2001:4bd8::1053)
> ;; WHEN: Wed May 16 17:57:39 2007
> ;; MSG SIZE rcvd: 841
>
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;www.ash.cz. IN A
> ;; AUTHORITY SECTION:
> cz. 172800 IN NS C.NS.NIC.cz.
> cz. 172800 IN NS E.NS.NIC.cz.
> cz. 172800 IN NS F.NS.CZNIC.EU.
> cz. 172800 IN NS NS.TLD.cz.
> cz. 172800 IN NS NS-EXT.ISC.ORG.
> cz. 172800 IN NS NSS.TLD.cz.
> cz. 86400 IN NSEC DE. NS RRSIG NSEC
> cz. 86400 IN RRSIG NSEC 5 1 86400 20070603030311 (
> 20070504062950 64955 .
> jehMTV19W6+NMscFhY/uuIdARK5SoSkA0UfsUrkcfqAq
> qI6dtDaxfbwVSluupN+9hfUHGmKTKDFucHIcNxz+6qlA
> TaV+xCDMCk1AUyjNbLO6NZWZ+gK2YVB1BTBrSnbM/Xib
> ojxHTvVN48KDoQczIxZHvkz31xe1fLuFuPX8vO2LKCrW
> Eq6Of+DQlQQUX3RVPW7dAainW7BdnfHhE6qKXQl+w882
> ZMwomvbg5gRBQD1tmWHvyBQRdeXK0pS3mqHCne5q2y/E
> j79oEHVydp9GHQdxa/aE8ZVVH941GR9or4nD/mtDXr4h
> 8eyOHdRQhHO27ejGsVJdiym6ins2Mf/5ag== )
> ;; ADDITIONAL SECTION:
> NS-EXT.ISC.ORG. 172800 IN A 204.152.184.64
> NS-EXT.ISC.ORG. 172800 IN AAAA 2001:4f8:0:2::13
> NS.TLD.cz. 172800 IN A 217.31.196.10
> NSS.TLD.cz. 172800 IN A 217.31.200.10
> C.NS.NIC.cz. 172800 IN A 195.66.241.202
> C.NS.NIC.cz. 172800 IN AAAA 2a01:40:1000::2
> E.NS.NIC.cz. 172800 IN A 194.146.105.38
> F.NS.CZNIC.EU. 172800 IN A 193.171.255.48
> F.NS.CZNIC.EU. 172800 IN AAAA 2001:628:453:420::48
> ;; Query time: 3 msec
> ;; SERVER: 2001:4bd8::1053#53(2001:4bd8::1053)
> ;; WHEN: Wed May 16 17:58:42 2007
> ;; MSG SIZE rcvd: 663
>
>
> You can see, that the additional section is not signed, with renders the
> provided glue almost useless: we have to requery the glue from the root
> server, but do not get it signed!
No you don't. As long as the answers you receive by following the
glue are signed and validate it really does not matter if the
glue was correct or not. At some point we may need "glue sigs"
(note these will not be RRSIG) for NS and A records to provide
assurances that the referral is as entered. However that can
be added to the protocol at a later stage.
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;F.NS.se. IN AAAA
> ;; AUTHORITY SECTION:
> se. 172800 IN NS E.NS.se.
> se. 172800 IN NS C.NS.se.
> se. 172800 IN NS H.NS.se.
> se. 172800 IN NS I.NS.se.
> se. 172800 IN NS F.NS.se.
> se. 172800 IN NS D.NS.se.
> se. 172800 IN NS A.NS.se.
> se. 172800 IN NS B.NS.se.
> se. 172800 IN NS G.NS.se.
> se. 172800 IN DS 6166 5 1 (
> CE2B007F6D000B064B4A82E8840C19D3D09B8F8E )
> se. 172800 IN DS 6166 5 2 (
> CD9D147E24D866412216ADA5DBCB257DAE6CF0FFEF23
> 4415D6BD1114D833F213 )
> se. 172800 IN DS 17686 5 1 (
> 9E5E81A0B71A9B6B251077F700AA730E18D712EF )
> se. 172800 IN DS 17686 5 2 (
> B78C0E213B17285C7BCC78884D81A5F09145F800C564
> 954F856140D1689153B9 )
> se. 172800 IN RRSIG DS 5 1 172800 20070612182136 (
> 20070514093105 64955 .
> UFb/xbmsSy0vioL/OcHOwlT+pbcVrJ5AkO9RSZnTG2NM
> xFr5OIHEA8PrsNzeWmtzmRoHAsD78cIHMK/SZiLMIhzO
> 0GZYYsW1RpAhsMYU6238ZdTvWam9xS//DzfvczR4Ndnh
> vAsD3Wxv30tOsdkWKb4grc8UyG3PCC/iQPe1F12hEYzU
> gnyEf9/N2CIKha7tsvxm+7hE7MeQs1qRlHVLMH0YxM17
> tewyMde8Y4dNlQ/nJjkV6cF94Djc9fMo0KHMC+cl6k5s
> u9cGD7P2Pgb19y2Q2PMwD+nG3Odw0YCHkOmMRrvAke1Q
> 9+P8bG7SVYx+OF/2hW80M+haS5mrSv2GSg== )
> ;; ADDITIONAL SECTION:
> F.NS.se. 172800 IN AAAA 2a01:280:1:53::53
> F.NS.se. 172800 IN A 192.71.53.53
> A.NS.se. 172800 IN A 192.36.144.107
> A.NS.se. 172800 IN AAAA 2001:698:9:301::53
> B.NS.se. 172800 IN A 192.36.133.107
> C.NS.se. 172800 IN A 192.36.135.107
> G.NS.se. 172800 IN A 130.239.5.114
> G.NS.se. 172800 IN AAAA 2001:6b0:e:3::1
> H.NS.se. 172800 IN A 199.7.49.30
> D.NS.se. 172800 IN A 81.228.8.16
> E.NS.se. 172800 IN A 81.228.10.57
> I.NS.se. 172800 IN A 194.146.106.22
>
> ;; Query time: 4 msec
> ;; SERVER: 2001:4bd8::1053#53(2001:4bd8::1053)
> ;; WHEN: Wed May 16 18:08:21 2007
> ;; MSG SIZE rcvd: 861
>
> All we can get is a signed DS-record, and have to check the trust chain
> ourself.
>
> If we limit the DNS size to 512 bytes, the results are frustrating: Every
> possible response is truncated, because the RRSIG is too long.
>
>
> On contrary it is possible to get signed data in other sections:
>
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;iks-jena.de. IN MX
>
> ;; ANSWER SECTION:
> iks-jena.de. 57600 IN MX 10 excalibur.iks-jena.de.
> iks-jena.de. 57600 IN MX 20 avalon.iks-jena.de.
> iks-jena.de. 57600 IN RRSIG MX 5 2 57600 20070612215343 (
> 20070513224243 39332 iks-jena.de.
> bkWZimQOFyoBbNV7yp4pQjUqLg4NHIZehYIkvRjT5xxB
> 9Znu5+T14DlDmpyCuR9LjVNm+0QLFFR1SE3QhD8olCBJ
> G062ecWlDHQfqQ4JlJyhY1z+ylTB/zsJuryMbD5366zJ
> CokfACgU1gM4GiadWKSSX6g4gCYcYt9v+Vk0zTk= )
> ;; AUTHORITY SECTION:
> iks-jena.de. 57600 IN NS euro-ns2.cw.net.
> iks-jena.de. 57600 IN NS jengate.thur.de.
> iks-jena.de. 57600 IN NS avalon.iks-jena.de.
> iks-jena.de. 57600 IN NS euro-ns3.cw.net.
> iks-jena.de. 57600 IN NS euro-ns1.cw.net.
> iks-jena.de. 57600 IN RRSIG NS 5 2 57600 20070612210145 (
> 20070513224243 39332 iks-jena.de.
> hx4uY4j9euW9G15GQUryHGPSRiGDulCgNLySaeMFpGIK
> Dk/ib+hWB1rBqub/PxIb4Oad4nucl6Nty+s6149U/q8R
> Ahggb9dUWKOU0qGucnwVAQPRsQmz+gmw8B+xTuzZk2jH
> VtzfWER0ESCelWgvvOeUSW3K29o3BNli118XZP8= )
> ;; ADDITIONAL SECTION:
> excalibur.iks-jena.de. 57600 IN A 217.17.192.67
> excalibur.iks-jena.de. 57600 IN AAAA 2001:4bd8::17
> avalon.iks-jena.de. 57600 IN A 217.17.192.66
> excalibur.iks-jena.de. 57600 IN RRSIG A 5 3 57600 20070612211000 (
> 20070513224243 39332 iks-jena.de.
> j9Ng5m6L6GZr9aBoKLn+NlvAss7fp9AeziY88Gl1zbxh
> YpYl0GxU7UAJgcgYJ2Ybtvw/VTWvEidcrwrA6rQ67+iB
> xGlu5wzQbiIDMZwjnM48ValG5cBKvyyDC+xcPSwObYR+
> lStq2qMbEUzjAiitaSyCHmc81pK5LtxXCzXzM9Q= )
> excalibur.iks-jena.de. 57600 IN RRSIG AAAA 5 3 57600 20070612212708 (
> 20070513224243 39332 iks-jena.de.
> DlJQ1fN3cdP+k6OHZyRgJEi1SOSNGFIE5VS3x6bDxNE+
> t9bNssB92VTeZkiR3Fm6aoobcCL8raqW+AlNVxginAgn
> G604Vj9y7N4DYmtSMVZxuVU/CsfEEXY7oVh1jp0DICMn
> DJ1p96eu9SBwwZkx3VAm4IdfFzVnOPSMZ2qDMlM= )
> avalon.iks-jena.de. 57600 IN RRSIG A 5 3 57600 20070612214645 (
> 20070513224243 39332 iks-jena.de.
> S1V47+lLd0P0NEyTLQFLOpShZBjjaTSgzx5+a2+WaipS
> U1mXhMKjihz1tQf5tH5kYDxtrQUO3p2XAbcWzZ/aK9JD
> i2tfxkAi+geUJYW03XW+CWS/8YIzHS7c6ba0tnQ6Lk9o
> w28gDHCsrwyMi20Z2GkigXPAsh2ZWLVzn3OpD8Y= )
> ;; Query time: 20 msec
> ;; SERVER: 217.17.192.34#53(217.17.192.34)
> ;; WHEN: Wed May 16 18:13:42 2007
> ;; MSG SIZE rcvd: 1120
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations
mailing list