[dns-operations] FW: IANA testbed problem
richard.lamb at icann.org
Fri Apr 9 00:18:34 UTC 2010
Thanks to Eric and George for checking up on me. By no means do I claim perfection but I am glad nothing was wrong.
From: Eric Osterweil [mailto:eoster at CS.UCLA.EDU]
Sent: Thursday, April 08, 2010 10:21 AM
To: Richard Lamb
Cc: George Barwood
Subject: Re: [dns-operations] IANA testbed problem
Argh, my apologies.
I seem to have misunderstood the OP; I had thought the comment was that the iana servers were returning DS information for their own
zone. I should have checked before quoting scripture (mea culpa).
The auth zone seems to be responding properly as it is returning no data. While I cannot seem illicit a DNSSEC response, the poDNS response (no data) does seem to be proper, by my reading of 4035.
On Apr 8, 2010, at 9:21 AM, Richard Lamb wrote:
> Thank you George and Eric.
> You are not being stupid. And I don't pretend to have any special
> experience here other than the marks on my face from discovering my
> mistakes by bumping into walls. I do remember having to make
> ns.iana.org authoritative for iana.org as well to make the priming
> queries work. I think that's why a "dig ds iana.org @ns.iana.org"
> returns itself.
> So Eric. Is ns.iana.org doing the right thing given 4035/2.4 and
> 4035/188.8.131.52 since it is returning "no data".
> Any help would be appreciated.
>>> should ( I think) be a referral to the org servers, since the DS
>>> is served by the parent zone.
>>> However, the actual response is an authoritative NoData response,
>>> iana.org. 3600 IN SOA dns1.icann.org.
>>> i.e. it is coming from the iana.org zone rather than the root zone.
>>> Am I being stupid, or is this a bug?
>> afaict, you seem to be right:
>> RFC 4035:
>> 2.4. Including DS RRs in a Zone
>> DS RRsets MUST NOT appear at a zone's apex As for the referral:
>> RFC 4035:
>> 184.108.40.206. Responding to Queries for DS RRs ...
>> the name server MUST return an authoritative "no data" response
>> showing that the DS RRset does not exist in the child zone's apex.
>>> It can lead to authentication errors if the org zone has not yet
>>> been discovered
>>> by the resolver, e.g. if the first query is for ns.iana.org
>>> dns-operations mailing list
>>> dns-operations at lists.dns-oarc.net
More information about the dns-operations