[dns-operations] Another possible .gov validation problem?

Mark Andrews marka at isc.org
Sun Feb 13 23:25:50 UTC 2011

In message <BB6B85FEB6A5416197668D60EB23C72D at local>, "George Barwood" writes:
> ----- Original Message ----- 
> From: "Mark Andrews" <marka at isc.org>
> > If the zone is delegated you won't get a NXDOMAIN.  The zone in
> > question wasn't delegated.  It was just being served by the same
> > set of servers as its "parent" zone.
> > 
> > DNSSEC did its job.  It prevented data that was not provably insecure
> > bein accepted.
> I'm wondering a bit what the most appropriate error is in this case.
> My validating resolver gives ServerFail for all validation errors.
> The model is
>   - Construct the response as if DNSSEC doesn't exist ( roughly )
>   - Try an validate the response, with 3 possible outcomes
>     - Secure
>     - Insecure
>     - Bogus ( something went wrong )
> and Bogus then translates into ServerFail.
> I think ServerFail is possibly a bit more informative,  as it shows someting has definitely
> gone wrong, whereas NameError can be a "normal" state of affairs.
> So I can see arguments on both sides, but is there any important reason to favour NameError (NXDOMAIN) ?
> George

George, there were 2 different sets of queries involved.  The ones
that were answered from the pds.nasa.gov zone failed with servfail
as it was it wasn't delegated.  The query for pds.nasa.gov/DS
succeeded and returned NXDOMAIN because there wasn't a delegation
or any other information about pds.nasa.gov in the nasa.gov zone.

It isn't about favouring NXDOMAIN.  It's about favouring the answer
that can be crytograpghically proved correct.  If there was a signed
DS for pds.nasa.gov there and provably correct and no signatures
for other pds.nasa.gov queries that were returned we would reject
those as well.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list