[dns-operations] darkreading article on EDU signing

Chris Thompson cet1 at cam.ac.uk
Fri Sep 11 22:54:26 UTC 2009

On Sep 11 2009, Michael Graff wrote:

>Duane Wessels wrote:
>> On Fri, 11 Sep 2009, Michael Graff wrote:
>>>> $ dig +dnssec a dns1.psc.edu
>>> Hmm, I could not reproduce this.
>> was reproducible for me querying dns1.psc.edu as above.
>Ahh, querying for the name server specifically did make it fail.

Exactly. You have use something there *is* glue for.

>This isn't quite as bad as it could be.

Well, no. The world could have come to an end on 9/9/9, after all.

>                                        I believe this would happen
>with or without DLV, using DS records from the parent?

Yes, indeed. I wasn't saying that this was a problem with DLV, just
that the current DLV setup was a way of exhibiting a problem that
could become much more pervasive if there were lots of signed
children of edu. Problems caused by glue being out-of-step with the
in-zone contents are reported often enough already: hosts used as
nameservers are sometimes offering other services as well and are
looked up directly.

Correspondence with Stephane Bortzmeyer, who was unable to reproduce
the effect with unbound, reminds me that when this promotion-of-glue
effect was last discussed on bind-users, Tatuya Jinmei told us that
a future BIND version would disbelieve these "answers" from the GTLD
servers because they lacked the "aa" flag. (There *are* servers out
there which give such answers *with* the "aa" flag set, but not the
*.gltd-servers.net ones.)

But Matt Larson's reassurance posted here on behalf of Verisign is
very welcome.

Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.

More information about the dns-operations mailing list