[dns-operations] Problems resolving .gov using DLV

Jelte Jansen jelte at NLnetLabs.nl
Wed Mar 18 09:45:27 UTC 2009

Hash: SHA1

Stephane Bortzmeyer wrote:
> On Tue, Mar 17, 2009 at 10:45:12AM -0700,
>  Michael Sinatra <michael at rancid.berkeley.edu> wrote 
>  a message of 25 lines which said:
>> I haven't tested unbound, but Stephane's comments indicate that it
>> has a similar problem.
> Difficult to say since ".gov" is no longer in DLV but I notice a
> mistake I made in my tests so ignore reports about Unbound, I'll test
> again.

Wouter tells me that he can indeed not reproduce the problem with unbound.
Please let us know if you do see it.

For one thing, Unbound has NSEC3 support since 1.0.

Secondly, his own tests indicate that Unbound does the right thing with unknown
algorithms in DLV. Although it does query the DNSKEY of the target domain before
realizing that the pseudo DS keys are of no use to it and becomes insecure. So
we don't do the test Paul talked about, but do catch this case later.

So it shouldn't have a problem with unknown algorithms in DLV. But that's not
the only case where this might go wrong; what about manually configured trust
anchors (including those updated with 5011) and (i)tar(s)? Currently that will
result in bogus, which I personally think should not. This would not be a
problem at the moment since all algorithms are currently supported. But it might
in the future if my rsasha2 draft ever gets published ;)

Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the dns-operations mailing list