[dns-operations] Problems resolving .gov using DLV

Michael Sinatra michael at rancid.berkeley.edu
Wed Mar 18 06:31:40 UTC 2009


On 3/17/09 8:28 PM, Paul Vixie wrote:
> it should be, but isn't.  a separate "if alg is unknown treat as unsigned"
> test was needed in BIND for the DLV case, and it was not present.  i'm making
> the wild assumption that UnBound has the same flaw since it behaved similarly.
> 
>> At any rate, this is a testable hypothesis, and I will test it this evening
>> if someone else doesn't beat me to it.
> 
> thanks for all your bleeding-edge testing on this.

Yes, the testing I did confirms that BIND performs correctly when it 
encounters a DS in the parent zone that points to a key in the child 
zone whose alg is unknown, it simply treats the child zone as insecure. 
  Olafur is correct in that org.br is handled (correctly) in this manner 
by BIND (thanks for the example).

Not sure what version of unbound Stephane was using; the one I have is 
1.2.1 and it supports NSEC3.  E.g. satellite.dnslab.jp resolves and 
validates correctly using the DLV.

michael



More information about the dns-operations mailing list