[dns-operations] Another possible .gov validation problem?
george.barwood at blueyonder.co.uk
Mon Feb 14 00:10:06 UTC 2011
----- Original Message -----
From: "Mark Andrews" <marka at isc.org>
To: "George Barwood" <george.barwood at blueyonder.co.uk>
Cc: "Cricket Liu" <cricket at nxdomain.com>; <dns-operations at mail.dns-oarc.net>; <dns at nasa.gov>
Sent: Sunday, February 13, 2011 11:25 PM
Subject: Re: [dns-operations] Another possible .gov validation problem?
> In message <BB6B85FEB6A5416197668D60EB23C72D at local>, "George Barwood" writes:
>> ----- Original Message -----
>> From: "Mark Andrews" <marka at isc.org>
>> > If the zone is delegated you won't get a NXDOMAIN. The zone in
>> > question wasn't delegated. It was just being served by the same
>> > set of servers as its "parent" zone.
>> > DNSSEC did its job. It prevented data that was not provably insecure
>> > bein accepted.
>> I'm wondering a bit what the most appropriate error is in this case.
>> My validating resolver gives ServerFail for all validation errors.
>> The model is
>> - Construct the response as if DNSSEC doesn't exist ( roughly )
>> - Try an validate the response, with 3 possible outcomes
>> - Secure
>> - Insecure
>> - Bogus ( something went wrong )
>> and Bogus then translates into ServerFail.
>> I think ServerFail is possibly a bit more informative, as it shows someting has definitely
>> gone wrong, whereas NameError can be a "normal" state of affairs.
>> So I can see arguments on both sides, but is there any important reason to favour NameError (NXDOMAIN) ?
> George, there were 2 different sets of queries involved. The ones
> that were answered from the pds.nasa.gov zone failed with servfail
> as it was it wasn't delegated. The query for pds.nasa.gov/DS
> succeeded and returned NXDOMAIN because there wasn't a delegation
> or any other information about pds.nasa.gov in the nasa.gov zone.
> It isn't about favouring NXDOMAIN. It's about favouring the answer
> that can be crytograpghically proved correct. If there was a signed
> DS for pds.nasa.gov there and provably correct and no signatures
> for other pds.nasa.gov queries that were returned we would reject
> those as well.
If the query is run with +cdflag=1 then you get an A record back, agreed?
I think (in the absence of attacks) I would expect +cdflag=1 responses to agree,
with the only exception being that checking can produce ServerFail.
I'm not yet convinced one way or the other, maybe it doesn't matter in the end.
I just think ServerFail is a more accurate categorisation of this situation from a practical
point of view, with meaning "something is wrong with the DNS / we are under attack".
NameError seems slightly misleading, when there is concrete evidence of a mis-configuration.
I don't think the standard has anything to say on this ( please correct me if I'm wrong ).
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations