[dns-operations] Reporting glue as authoritive data -- Bug!

Edward Lewis Ed.Lewis at neustar.biz
Wed Jan 30 14:46:52 UTC 2008

At 22:16 +0000 1/29/08, Lutz Donnerhacke wrote:

>I have the problem in the other direction. The response of glue as
>legitimate answers is not accepted by my resolver (DNSSEC validation on).
>The reason to ask here is a report from a friend who's resolver assumed the
>answer to complete and therefore was unable to resolve his own domain.

Sitting in my chair right now, I think that a properly implemented 
DNSSEC validator could deal with this message successfully and 
eventually get to the answer.  I say this because I know of short 
cuts DNSSEC validators take today that make DNSSEC fail when it could 
succeed (in verifying an answer).  Removing short cuts means more 
work though.

A lot more work would be needed to see it I'm right and I'd owe that. 
But now I don't have time.  So, in the place, here's some comments 
leading towards what I am thinking.

There are two ways to analyze a DNS response. One is bottom up and 
the other is top down.  Bottom up means that I search towards the 
answer, trying to get to the most RFC2181 trustworthy answer that is 
useful and then working back to the top to do verification.  Top down 
means descending from a known anchor and stepping towards the answer 
taking only "careful" steps.  A two-phase validator would try 
bottom-up first, then top-down second if bottom-up fails.  Bottom-up 
is optimistic.

Another angle is to combine trustworthiness and "has a signature."  A 
validator/resolver ought to know when to stop seeking an answer to 
verify.  A hybrid answer both ranks low on trustworthiness (as it is 
from a cache) and has no signature.  Having no signature would only 
be detected as a problem if the validator established (top-down) that 
the answer was supposed to have a signature.  But the hybrid answer 
can be used to look for something of higher trustworthiness and 
presumably with the needed signature.

So what I am thinking is that a resolver would get the hybrid 
response and see that it fails validation.  The resolver should be 
smart enough to know that it is not done looking, it can track down 
the authoritative servers for one - especially if the validation 
failure was due to the lack of the signature.  (The resolver might 
assume that the cache stripped the DNSSEC stuff {which it *did* btw} 
and go looking for a better answer.

This is akin to the whimpy-ness of DNSSEC code that gives up on the 
first response to a query.  If a man in the middle inserts an answer, 
DNSSEC claims success if it prevents the resolver from believing it. 
But DNSSEC has not gone the extra step of delivering the authentic 
response, which it could if it just kept listening.

If we are going to extend the DNS, we ought to extend it right.
Edward Lewis                                                +1-571-434-5468

Think glocally.  Act confused.

More information about the dns-operations mailing list