[dns-operations] Problems resolving .gov using DLV

Florian Weimer fw at deneb.enyo.de
Tue Mar 17 10:38:56 UTC 2009

* Keith Mitchell:

> Thanks Michael for flagging this up. When specing DLV the possibility
> that a TLD submitting trust anchors to DLV might use only NSEC3 for
> signing it, when many servers out there do not support NSEC3, was
> clearly overlooked.

I don't think it's a DLV issue.  It's required by RFC 4035:

| 5.5.  Resolver Behavior When Signatures Do Not Validate
|    If for whatever reason none of the RRSIGs can be validated, the
|    response SHOULD be considered BAD.  If the validation was being done
|    to service a recursive query, the name server MUST return RCODE 2 to
|    the originating client.  However, it MUST return the full response if
|    and only if the original query had the CD bit set.  Also see Section
|    4.7 on caching responses that do not validate.

It's a rather philosophical question if this is the correct thing to
do.  If you think that DNSSEC is just some protocol to resolve DNS
cache poisoning on the public Internet, this section is clearly wrong.
You should treat this situation as an insecure delegation.

If you think that DNSSEC serves as some sort of hierarchical
cryptographic key distribution framework, section 5.5 cleary makes a
lot of sense.

There is a simple test to tell your preference: Suppose your resolver
has a defect which sometimes validates incorrect DSA signatures.
Would you switch of DNSSEC validation as a workaround?

More information about the dns-operations mailing list