[dns-operations] Problems resolving .gov using DLV

Ondřej Surý ondrej.sury at nic.cz
Tue Mar 17 11:07:28 UTC 2009


On Tue, Mar 17, 2009 at 11:38 AM, Florian Weimer <fw at deneb.enyo.de> wrote:

> * Keith Mitchell:
> > Thanks Michael for flagging this up. When specing DLV the possibility
> > that a TLD submitting trust anchors to DLV might use only NSEC3 for
> > signing it, when many servers out there do not support NSEC3, was
> > clearly overlooked.
> I don't think it's a DLV issue.  It's required by RFC 4035:
> | 5.5.  Resolver Behavior When Signatures Do Not Validate
> |
> |    If for whatever reason none of the RRSIGs can be validated, the
> |    response SHOULD be considered BAD.  If the validation was being done
> |    to service a recursive query, the name server MUST return RCODE 2 to
> |    the originating client.  However, it MUST return the full response if
> |    and only if the original query had the CD bit set.  Also see Section
> |    4.7 on caching responses that do not validate.


See 5.2:

   If the validator does not support any of the algorithms listed in an
   authenticated DS RRset, then the resolver has no supported
   authentication path leading from the parent to the child.  The
   resolver should treat this case as it would the case of an
   authenticated NSEC RRset proving that no DS RRset exists, as
   described above.

> It's a rather philosophical question if this is the correct thing to
> do.  If you think that DNSSEC is just some protocol to resolve DNS
> cache poisoning on the public Internet, this section is clearly wrong.
> You should treat this situation as an insecure delegation.
> If you think that DNSSEC serves as some sort of hierarchical
> cryptographic key distribution framework, section 5.5 cleary makes a
> lot of sense.
> There is a simple test to tell your preference: Suppose your resolver
> has a defect which sometimes validates incorrect DSA signatures.
> Would you switch of DNSSEC validation as a workaround?
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Ondrej Sury
technicky reditel/Chief Technical Officer
CZ.NIC, z.s.p.o.  --  .cz domain registry
Americka 23,120 00 Praha 2,Czech Republic
mailto:ondrej.sury at nic.cz  http://nic.cz/
sip:ondrej.sury at nic.cz <sip%3Aondrej.sury at nic.cz> tel:+420.222745110
mob:+420.739013699     fax:+420.222745112
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090317/e0cfb8a4/attachment.html>

More information about the dns-operations mailing list