[dns-operations] Problems resolving .gov using DLV

Michael Sinatra michael at rancid.berkeley.edu
Mon Mar 16 22:30:05 UTC 2009


On 03/16/09 14:06, Stephane Bortzmeyer wrote:
> On Mon, Mar 16, 2009 at 01:54:42PM -0700,
>  Michael Sinatra <michael at rancid.berkeley.edu> wrote 
>  a message of 38 lines which said:
> 
>> Is anyone else having problems resolving .gov using the ISC DLV?  
> 
> Same problem for me, both with BIND and Unbound.

In addition, I am hearing that people inside of .gov are having the same
problem if they use the DLV (specifically lbl.gov).

So to recap:

The DLV supports algorithms that not all caching resolvers support.
That, on the surface, seems okay.

GOV is signed with a key that DLV supports, but many caching resolvers
don't.  On the surface that's okay.  If I don't try to add .gov's trust
anchor, I just treat it as 'insecure' and move on.

The problem occurs with .gov's key gets put in the DLV.  Now my caching
resolver feels that it MUST trust this key, but it doesn't support the
algorithm.  Hence gov == SERVFAIL.

I guess the answer is for the DLV to only support algorithms that are in
wide use or for BIND and other resolvers to treat zones whose keys exist
in the DLV, but have an unsupported algorithm to treat those zones as if
there is no key in the DLV.

michael

michael




More information about the dns-operations mailing list