[dns-operations] Another possible .gov validation problem?

Peter Koch pk at DENIC.DE
Sun Feb 13 10:47:57 UTC 2011 

On Sat, Feb 12, 2011 at 07:43:13PM -0800, Cricket Liu wrote:

> Is the NXDOMAIN RCODE for the DS query normal?  I don't get NXDOMAIN looking up (for example) DS RRs for infoblox.net in net; I get NOERROR.  Of course, the net name servers run ATLAS and the nasa.gov name servers almost certainly don't.

it's not "normal", but the parent and child zone setup isn't either.
What Mark said: the delegation is missing in the parent zone. Look at the
DNSSEC response:

; <<>> DiG 9.7.1-P1 <<>> +dnssec +norec @ns1.nasa.gov. pds.nasa.gov. ds
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27166
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pds.nasa.gov.                  IN      DS

;; AUTHORITY SECTION:
nasa.gov.               300     IN      SOA     ns1.nasa.gov. dns.nasa.gov. 200804819 10800 1200 604800 14400
nasa.gov.               300     IN      RRSIG   SOA 5 2 300 20110514043730 20110211163730 38436 nasa.gov. OS0CJk6zGSwvB00VKY2sJOl4N8BqjXQESV2iRonct+nKWdy0GDCGQX1J zsgIgLztIKFW9lkz6i7VrIVNaBeJIetPKPAIl5T+BmnbjEERbeMo5ySo cNuk5PjnUW6tjyfipoJuGqrlexA6DTdr5py4bDPw9l2awmZ4DNIHEHCE K1o=
nasa.gov.               14400   IN      NSEC    _tcp.nasa.gov. NS SOA MX TXT RRSIG NSEC DNSKEY
nasa.gov.               14400   IN      RRSIG   NSEC 5 2 14400 20110514043730 20110211163730 38436 nasa.gov. RU0mB7J3pRf3ymf3aErCeR5q8KZewsFtyp3i/gDmMx1joKZDRqlZwqpG RyU5XDAS0whek0caAlXAyU1Nn33uNh0SXwa0sXHLz228AUjIWT2PQ/pP l7KIS668+xUYUmuLwRR/ReXqrD8Xwcwz8w0X/xpKHr/Rjyo8fn+5n8TA Qdw=
pdl.nasa.gov.           14400   IN      NSEC    people.nasa.gov. NS RRSIG NSEC
pdl.nasa.gov.           14400   IN      RRSIG   NSEC 5 3 14400 20110514043730 20110211163730 38436 nasa.gov. X8LHPDygKcf/IPEfVUhWlIO7JqitGKXiFg4r94OEba8uiKVwiL9UOlv0 y3dUZAhon2+Pooq9t2BFwWruwQ86ijgRvmOxkfUrrv7IKEpKZkeGTXPk PzE4n8V0zUOSVzq++3vefMJdjDLqid2XAONcf9Uc4rG4oYUgCYw7FUut QA8=

;; Query time: 293 msec
;; SERVER: 198.116.4.189#53(198.116.4.189)
;; WHEN: Sun Feb 13 11:34:15 2011
;; MSG SIZE  rcvd: 666

Here's a proof that pdl.nasa.gov doesn't exist from the parent's
perspective (pdl.nasa.gov -> people.nasa.gov covers pds.nasa.gov).
Thus NXDOMAIN is the correct response.  However, all three servers
are configured to authoritatively support pds.nasa.gov, which isn't
signed.  So, iff the servers would use their knowledge about the child
and incorprate the child's NS RRSet to answer with a referral, they
could not prove the absence of the DS RR. That would need an NSEC RR
in the parent zone, owned by pds.nasa.gov where we just learned that
the parent has an NSEC that proves the non-existence of pds.nasa.gov.

Serving parent an child on the same set of servers is tricky with DNSSEC
and relying on side effects might have worked prior to DNSSEC but isn't
expected to continue working. See section 3.2 of RFC 5936.

-Peter

More information about the dns-operations mailing list