[dns-operations] IANA testbed problem

Eric Osterweil eoster at cs.ucla.edu
Thu Apr 8 15:52:17 UTC 2010


On Apr 8, 2010, at 8:40 AM, George Barwood wrote:

> The IANA testbed ( https://ns.iana.org/dnssec/status.html ) seems to  
> respond incorrectly to queries for DS iana.org
>
> It should act as a (test) signed root, with one of the root servers  
> being
>
> ns.iana.org.            3600    IN      A       208.77.188.32
>
> The response to
>
>> dig ds iana.org @208.77.188.32
>
> should ( I think) be a referral to the org servers, since the DS  
> RRset is served by the parent zone.
> However, the actual response is an authoritative NoData response,
>
> iana.org.               3600    IN      SOA     dns1.icann.org.  
> hostmaster.icann
>
> i.e. it is coming from the iana.org zone rather than the root zone.
>
> Am I being stupid, or is this a bug?

afaict, you seem to be right:

RFC 4035:
	2.4. Including DS RRs in a Zone
...
DS RRsets MUST NOT appear at a zone's apex
As for the referral:

RFC 4035:
	3.1.4.1. Responding to Queries for DS RRs
...
the name server MUST return an authoritative "no data" response  
showing that the DS RRset does not exist in the child zone's apex.
Eric

>
> It can lead to authentication errors if the org zone has not yet  
> been discovered
> by the resolver, e.g. if the first query is for ns.iana.org
>
> George
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20100408/7448a7c3/attachment.sig>


More information about the dns-operations mailing list