[dns-operations] Another possible .gov validation problem?
rbf+dns-operations at panix.com
Sun Feb 13 15:33:51 UTC 2011
On Sat, Feb 12, 2011 at 07:43:13PM -0800, Cricket Liu wrote:
> Thanks for the reply, Mark. I should have thought to check the NSEC RR.
> On Feb 12, 2011, at 12:36 AM, Mark Andrews wrote:
> > In message <7FC8D4F4-3D71-4A3F-BA2A-25496572135A at nxdomain.com>, Cricket Liu wri
> > tes:
> >> Note the absence of a DS RR.
> >> However, an explicit query for a DS RR returns something surprising:
> >> $ dig @ns1.nasa.gov. ds pds.nasa.gov. +norec
> >> ; <<>> DiG 9.7.2 <<>> @ns1.nasa.gov. ds pds.nasa.gov. +norec
> >> ; (1 server found)
> >> ;; global options: +cmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3502
> >> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> >> ;; QUESTION SECTION:
> >> ;pds.nasa.gov. IN DS
> >> Note the NXDOMAIN RCODE.
> Is the NXDOMAIN RCODE for the DS query normal? I don't get NXDOMAIN
> looking up (for example) DS RRs for infoblox.net in net; I get
> NOERROR. Of course, the net name servers run ATLAS and the nasa.gov
> name servers almost certainly don't.
You don't get NXDOMAIN for DS on infoblox.net because the parent zone
has NS records for infoblox.net. The issue with pds.nasa.gov is that
there aren't *any* records in the parent -- no NS or DS records. If
the appropriate NS records are added, then it will return NOERROR
rather than NXDOMAIN.
The delegation (NS) records have probably been missing for a long time,
but, prior to DNSSEC, it's not a significant problem as long as the
child domain is on the same server as the parent domain.
This is all a side effect of the fact that when a server is
authoritative for a parent zone and a child zone, queries for DS
records at the apex of the child zone are answered from the parent
More information about the dns-operations