[dns-operations] Another possible .gov validation problem?
Mark Andrews
marka at isc.org
Sun Feb 13 22:12:13 UTC 2011
In message <11BAE6D2-A1F8-4579-916D-B98770C80BE4 at nxdomain.com>, Cricket Liu writ
es:
> Thanks for the reply, Mark. I should have thought to check the NSEC RR.
>
> On Feb 12, 2011, at 12:36 AM, Mark Andrews wrote:
>
> > In message <7FC8D4F4-3D71-4A3F-BA2A-25496572135A at nxdomain.com>, =
> Cricket Liu wri
> > tes:
> >> Note the absence of a DS RR.
> >>=20
> >> However, an explicit query for a DS RR returns something surprising:
> >>=20
> >> $ dig @ns1.nasa.gov. ds pds.nasa.gov. +norec
> >>=20
> >> ; <<>> DiG 9.7.2 <<>> @ns1.nasa.gov. ds pds.nasa.gov. +norec
> >> ; (1 server found)
> >> ;; global options: +cmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3502
> >> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> >>=20
> >> ;; QUESTION SECTION:
> >> ;pds.nasa.gov. IN DS
> >>=20
> >> Note the NXDOMAIN RCODE.
>
> Is the NXDOMAIN RCODE for the DS query normal? I don't get NXDOMAIN =
> looking up (for example) DS RRs for infoblox.net in net; I get NOERROR. =
> Of course, the net name servers run ATLAS and the nasa.gov name servers =
> almost certainly don't.
If the zone is delegated you won't get a NXDOMAIN. The zone in
question wasn't delegated. It was just being served by the same
set of servers as its "parent" zone.
DNSSEC did its job. It prevented data that was not provably insecure
bein accepted.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list