[dns-operations] IANA testbed problem

Eric Osterweil eoster at cs.ucla.edu
Thu Apr 8 15:52:17 UTC 2010

On Apr 8, 2010, at 8:40 AM, George Barwood wrote:

> The IANA testbed ( https://ns.iana.org/dnssec/status.html ) seems to  
> respond incorrectly to queries for DS iana.org
> It should act as a (test) signed root, with one of the root servers  
> being
> ns.iana.org.            3600    IN      A
> The response to
>> dig ds iana.org @
> should ( I think) be a referral to the org servers, since the DS  
> RRset is served by the parent zone.
> However, the actual response is an authoritative NoData response,
> iana.org.               3600    IN      SOA     dns1.icann.org.  
> hostmaster.icann
> i.e. it is coming from the iana.org zone rather than the root zone.
> Am I being stupid, or is this a bug?

afaict, you seem to be right:

RFC 4035:
	2.4. Including DS RRs in a Zone
DS RRsets MUST NOT appear at a zone's apex
As for the referral:

RFC 4035: Responding to Queries for DS RRs
the name server MUST return an authoritative "no data" response  
showing that the DS RRset does not exist in the child zone's apex.

> It can lead to authentication errors if the org zone has not yet  
> been discovered
> by the resolver, e.g. if the first query is for ns.iana.org
> George
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20100408/7448a7c3/attachment.sig>

More information about the dns-operations mailing list