[dns-operations] FW: IANA testbed problem

Richard Lamb richard.lamb at icann.org
Fri Apr 9 00:18:34 UTC 2010 

FYI.

Thanks to Eric and George for checking up on me. By no means do I claim perfection but I am glad nothing was wrong.

-Rick

-----Original Message-----
From: Eric Osterweil [mailto:eoster at CS.UCLA.EDU] 
Sent: Thursday, April 08, 2010 10:21 AM
To: Richard Lamb
Cc: George Barwood
Subject: Re: [dns-operations] IANA testbed problem

Hey Rick!

Argh, my apologies.

I seem to have misunderstood the OP; I had thought the comment was that the iana servers were returning DS information for their own  
zone.  I should have checked before quoting scripture (mea culpa).   
The auth zone seems to be responding properly as it is returning no data.  While I cannot seem illicit a DNSSEC response, the poDNS response (no data) does seem to be proper, by my reading of 4035.

Eric

On Apr 8, 2010, at 9:21 AM, Richard Lamb wrote:

> Thank you George and Eric.
>
> You are not being stupid. And I don't pretend to have any special 
> experience here other than the marks on my face from discovering my 
> mistakes by bumping into walls.  I do remember having to make 
> ns.iana.org authoritative for iana.org as well to make the priming 
> queries work.  I think that's why a "dig ds iana.org @ns.iana.org"
> returns itself.
>
> So Eric.  Is ns.iana.org doing the right thing given 4035/2.4  and
> 4035/3.1.4.1 since it is returning "no data".
>
> Any help would be appreciated.
>
> Thanks,
> -Rick
>
>>>
>>> should ( I think) be a referral to the org servers, since the DS
>> RRset
>>> is served by the parent zone.
>>> However, the actual response is an authoritative NoData response,
>>>
>>> iana.org.               3600    IN      SOA     dns1.icann.org.
>>> hostmaster.icann
>>>
>>> i.e. it is coming from the iana.org zone rather than the root zone.
>>>
>>> Am I being stupid, or is this a bug?
>>
>> afaict, you seem to be right:
>>
>> RFC 4035:
>> 	2.4. Including DS RRs in a Zone
>> ...
>> DS RRsets MUST NOT appear at a zone's apex As for the referral:
>>
>> RFC 4035:
>> 	3.1.4.1. Responding to Queries for DS RRs ...
>> the name server MUST return an authoritative "no data" response 
>> showing that the DS RRset does not exist in the child zone's apex.
>> Eric
>>
>>>
>>> It can lead to authentication errors if the org zone has not yet
>>> been discovered
>>> by the resolver, e.g. if the first query is for ns.iana.org
>>>
>>> George
>>> _______________________________________________
>>> dns-operations mailing list
>>> dns-operations at lists.dns-oarc.net
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list