[dns-operations] Problems resolving .gov using DLV

Paul Vixie vixie at isc.org
Wed Mar 18 03:28:02 UTC 2009


> [vixie]
> > in that case this isn't a DLV spec oversight, but rather a parallel bug in
> > the two independent DLV implementations (BIND and UnBound).

[sinatra]
> If this is an implementation issue in both bind and unbound, is it possible
> that it might not just be an issue with their dlv implementation?

yes.

> For example, what if I have a DS record in a parent zone that points to a
> key with an unsupported algorithm in a child zone? Will I treat a query
> within the child zone as insecure or as a validation failure?

as insecure.  that's how RFC 4035 is written, and both BIND and UnBound do
the right thing.

> My gut feeling is that once bind or unbound get the DS record from the DLV,
> they then act as if the DS record came from a trusted parent.  It should be
> the same bits of code that take it from there...(but I haven't checked this
> part of the code yet).

it should be, but isn't.  a separate "if alg is unknown treat as unsigned"
test was needed in BIND for the DLV case, and it was not present.  i'm making
the wild assumption that UnBound has the same flaw since it behaved similarly.

> At any rate, this is a testable hypothesis, and I will test it this evening
> if someone else doesn't beat me to it.

thanks for all your bleeding-edge testing on this.



More information about the dns-operations mailing list