[dns-operations] FW: IANA testbed problem

Richard Lamb richard.lamb at icann.org
Fri Apr 9 00:18:34 UTC 2010


Thanks to Eric and George for checking up on me. By no means do I claim perfection but I am glad nothing was wrong.


-----Original Message-----
From: Eric Osterweil [mailto:eoster at CS.UCLA.EDU] 
Sent: Thursday, April 08, 2010 10:21 AM
To: Richard Lamb
Cc: George Barwood
Subject: Re: [dns-operations] IANA testbed problem

Hey Rick!

Argh, my apologies.

I seem to have misunderstood the OP; I had thought the comment was that the iana servers were returning DS information for their own  
zone.  I should have checked before quoting scripture (mea culpa).   
The auth zone seems to be responding properly as it is returning no data.  While I cannot seem illicit a DNSSEC response, the poDNS response (no data) does seem to be proper, by my reading of 4035.


On Apr 8, 2010, at 9:21 AM, Richard Lamb wrote:

> Thank you George and Eric.
> You are not being stupid. And I don't pretend to have any special 
> experience here other than the marks on my face from discovering my 
> mistakes by bumping into walls.  I do remember having to make 
> ns.iana.org authoritative for iana.org as well to make the priming 
> queries work.  I think that's why a "dig ds iana.org @ns.iana.org"
> returns itself.
> So Eric.  Is ns.iana.org doing the right thing given 4035/2.4  and
> 4035/ since it is returning "no data".
> Any help would be appreciated.
> Thanks,
> -Rick
>>> should ( I think) be a referral to the org servers, since the DS
>> RRset
>>> is served by the parent zone.
>>> However, the actual response is an authoritative NoData response,
>>> iana.org.               3600    IN      SOA     dns1.icann.org.
>>> hostmaster.icann
>>> i.e. it is coming from the iana.org zone rather than the root zone.
>>> Am I being stupid, or is this a bug?
>> afaict, you seem to be right:
>> RFC 4035:
>> 	2.4. Including DS RRs in a Zone
>> ...
>> DS RRsets MUST NOT appear at a zone's apex As for the referral:
>> RFC 4035:
>> Responding to Queries for DS RRs ...
>> the name server MUST return an authoritative "no data" response 
>> showing that the DS RRset does not exist in the child zone's apex.
>> Eric
>>> It can lead to authentication errors if the org zone has not yet
>>> been discovered
>>> by the resolver, e.g. if the first query is for ns.iana.org
>>> George
>>> _______________________________________________
>>> dns-operations mailing list
>>> dns-operations at lists.dns-oarc.net
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list