[dns-operations] Problems resolving .gov using DLV

Olafur Gudmundsson ogud at ogud.com
Wed Mar 18 00:09:23 UTC 2009

At 18:50 17/03/2009, Michael Sinatra wrote:
>On 3/17/09 2:44 PM, Paul Vixie wrote:
>>At 12:18 +0100 3/17/09, Florian Weimer wrote:
>>>And 5.2 trumps 5.5?  I wouldn't count on that.  RFC 4033 lists the

Yes in this case 5.2 trumps 5.5 as it is a test that should be
performed before the tests in 5.5.

>>Date: Tue, 17 Mar 2009 08:34:10 -0400
>>From: Edward Lewis <Ed.Lewis at neustar.biz>
>>>The intent has always been that if a user cannot understand the algorithm,
>>>the user ignores the algorithm's presence.  If, for all algorithms in the
>>>DS set none are understood, the zone is unsigned (in the eye of the user).
>>in that case this isn't a DLV spec oversight, but rather a parallel bug in
>>the two independent DLV implementations (BIND and UnBound).
>If this is an implementation issue in both bind and unbound, is it 
>possible that it might not just be an issue with their dlv 
>implementation?  For example, what if I have a DS record in a parent 
>zone that points to a key with an unsupported algorithm in a child 
>zone?  Will I treat a query within the child zone as insecure or as 
>a validation failure?
>My gut feeling is that once bind or unbound get the DS record from 
>the DLV, they then act as if the DS record came from a trusted 
>parent.  It should be the same bits of code that take it from 
>there...(but I haven't checked this part of the code yet).
>At any rate, this is a testable hypothesis, and I will test it this 
>evening if someone else doesn't beat me to it.

If your theory was correct then we should have seen this as soon as
org.br. was signed, unless noone is checking the
signed domains in org.br.

This smells like a DLV bug.


More information about the dns-operations mailing list