[dns-operations] Problems resolving .gov using DLV
Olafur Gudmundsson
ogud at ogud.com
Wed Mar 18 00:09:23 UTC 2009
At 18:50 17/03/2009, Michael Sinatra wrote:
>On 3/17/09 2:44 PM, Paul Vixie wrote:
>>At 12:18 +0100 3/17/09, Florian Weimer wrote:
>>>And 5.2 trumps 5.5? I wouldn't count on that. RFC 4033 lists the
--->OG
Yes in this case 5.2 trumps 5.5 as it is a test that should be
performed before the tests in 5.5.
>>Date: Tue, 17 Mar 2009 08:34:10 -0400
>>From: Edward Lewis <Ed.Lewis at neustar.biz>
>>>The intent has always been that if a user cannot understand the algorithm,
>>>the user ignores the algorithm's presence. If, for all algorithms in the
>>>DS set none are understood, the zone is unsigned (in the eye of the user).
>>in that case this isn't a DLV spec oversight, but rather a parallel bug in
>>the two independent DLV implementations (BIND and UnBound).
>
>If this is an implementation issue in both bind and unbound, is it
>possible that it might not just be an issue with their dlv
>implementation? For example, what if I have a DS record in a parent
>zone that points to a key with an unsupported algorithm in a child
>zone? Will I treat a query within the child zone as insecure or as
>a validation failure?
>
>My gut feeling is that once bind or unbound get the DS record from
>the DLV, they then act as if the DS record came from a trusted
>parent. It should be the same bits of code that take it from
>there...(but I haven't checked this part of the code yet).
>
>At any rate, this is a testable hypothesis, and I will test it this
>evening if someone else doesn't beat me to it.
--->OG
If your theory was correct then we should have seen this as soon as
org.br. was signed, unless noone is checking the
signed domains in org.br.
This smells like a DLV bug.
Olafur
More information about the dns-operations
mailing list