[dns-operations] Problems resolving .gov using DLV
Michael Sinatra
michael at rancid.berkeley.edu
Wed Mar 18 06:31:40 UTC 2009
On 3/17/09 8:28 PM, Paul Vixie wrote:
> it should be, but isn't. a separate "if alg is unknown treat as unsigned"
> test was needed in BIND for the DLV case, and it was not present. i'm making
> the wild assumption that UnBound has the same flaw since it behaved similarly.
>
>> At any rate, this is a testable hypothesis, and I will test it this evening
>> if someone else doesn't beat me to it.
>
> thanks for all your bleeding-edge testing on this.
Yes, the testing I did confirms that BIND performs correctly when it
encounters a DS in the parent zone that points to a key in the child
zone whose alg is unknown, it simply treats the child zone as insecure.
Olafur is correct in that org.br is handled (correctly) in this manner
by BIND (thanks for the example).
Not sure what version of unbound Stephane was using; the one I have is
1.2.1 and it supports NSEC3. E.g. satellite.dnslab.jp resolves and
validates correctly using the DLV.
michael
More information about the dns-operations
mailing list