[dns-operations] Another possible .gov validation problem?
Mark Andrews
marka at isc.org
Sun Feb 13 23:25:50 UTC 2011
In message <BB6B85FEB6A5416197668D60EB23C72D at local>, "George Barwood" writes:
>
> ----- Original Message -----
> From: "Mark Andrews" <marka at isc.org>
> > If the zone is delegated you won't get a NXDOMAIN. The zone in
> > question wasn't delegated. It was just being served by the same
> > set of servers as its "parent" zone.
> >
> > DNSSEC did its job. It prevented data that was not provably insecure
> > bein accepted.
>
> I'm wondering a bit what the most appropriate error is in this case.
>
> My validating resolver gives ServerFail for all validation errors.
>
> The model is
> - Construct the response as if DNSSEC doesn't exist ( roughly )
> - Try an validate the response, with 3 possible outcomes
> - Secure
> - Insecure
> - Bogus ( something went wrong )
>
> and Bogus then translates into ServerFail.
>
> I think ServerFail is possibly a bit more informative, as it shows someting has definitely
> gone wrong, whereas NameError can be a "normal" state of affairs.
>
> So I can see arguments on both sides, but is there any important reason to favour NameError (NXDOMAIN) ?
>
> George
>
George, there were 2 different sets of queries involved. The ones
that were answered from the pds.nasa.gov zone failed with servfail
as it was it wasn't delegated. The query for pds.nasa.gov/DS
succeeded and returned NXDOMAIN because there wasn't a delegation
or any other information about pds.nasa.gov in the nasa.gov zone.
It isn't about favouring NXDOMAIN. It's about favouring the answer
that can be crytograpghically proved correct. If there was a signed
DS for pds.nasa.gov there and provably correct and no signatures
for other pds.nasa.gov queries that were returned we would reject
those as well.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list