[dns-operations] Problems resolving .gov using DLV

Michael Sinatra michael at rancid.berkeley.edu
Tue Mar 17 22:50:33 UTC 2009

On 3/17/09 2:44 PM, Paul Vixie wrote:
> At 12:18 +0100 3/17/09, Florian Weimer wrote:
>> And 5.2 trumps 5.5?  I wouldn't count on that.  RFC 4033 lists the
> Date: Tue, 17 Mar 2009 08:34:10 -0400
> From: Edward Lewis <Ed.Lewis at neustar.biz>
>> The intent has always been that if a user cannot understand the algorithm,
>> the user ignores the algorithm's presence.  If, for all algorithms in the
>> DS set none are understood, the zone is unsigned (in the eye of the user).
> in that case this isn't a DLV spec oversight, but rather a parallel bug in
> the two independent DLV implementations (BIND and UnBound).

If this is an implementation issue in both bind and unbound, is it 
possible that it might not just be an issue with their dlv 
implementation?  For example, what if I have a DS record in a parent 
zone that points to a key with an unsupported algorithm in a child zone? 
  Will I treat a query within the child zone as insecure or as a 
validation failure?

My gut feeling is that once bind or unbound get the DS record from the 
DLV, they then act as if the DS record came from a trusted parent.  It 
should be the same bits of code that take it from there...(but I haven't 
checked this part of the code yet).

At any rate, this is a testable hypothesis, and I will test it this 
evening if someone else doesn't beat me to it.


More information about the dns-operations mailing list