[dns-operations] Another possible .gov validation problem?

George Barwood george.barwood at blueyonder.co.uk
Mon Feb 14 00:10:06 UTC 2011


Mark

----- Original Message ----- 
From: "Mark Andrews" <marka at isc.org>
To: "George Barwood" <george.barwood at blueyonder.co.uk>
Cc: "Cricket Liu" <cricket at nxdomain.com>; <dns-operations at mail.dns-oarc.net>; <dns at nasa.gov>
Sent: Sunday, February 13, 2011 11:25 PM
Subject: Re: [dns-operations] Another possible .gov validation problem?


> 
> In message <BB6B85FEB6A5416197668D60EB23C72D at local>, "George Barwood" writes:
>> 
>> ----- Original Message ----- 
>> From: "Mark Andrews" <marka at isc.org>
>> > If the zone is delegated you won't get a NXDOMAIN.  The zone in
>> > question wasn't delegated.  It was just being served by the same
>> > set of servers as its "parent" zone.
>> > 
>> > DNSSEC did its job.  It prevented data that was not provably insecure
>> > bein accepted.
>> 
>> I'm wondering a bit what the most appropriate error is in this case.
>> 
>> My validating resolver gives ServerFail for all validation errors.
>> 
>> The model is
>>   - Construct the response as if DNSSEC doesn't exist ( roughly )
>>   - Try an validate the response, with 3 possible outcomes
>>     - Secure
>>     - Insecure
>>     - Bogus ( something went wrong )
>>   
>> and Bogus then translates into ServerFail.
>> 
>> I think ServerFail is possibly a bit more informative,  as it shows someting has definitely
>> gone wrong, whereas NameError can be a "normal" state of affairs.
>> 
>> So I can see arguments on both sides, but is there any important reason to favour NameError (NXDOMAIN) ?
>> 
>> George
>>  
> 
> George, there were 2 different sets of queries involved.  The ones
> that were answered from the pds.nasa.gov zone failed with servfail
> as it was it wasn't delegated.  The query for pds.nasa.gov/DS
> succeeded and returned NXDOMAIN because there wasn't a delegation
> or any other information about pds.nasa.gov in the nasa.gov zone.
> 
> It isn't about favouring NXDOMAIN.  It's about favouring the answer
> that can be crytograpghically proved correct.  If there was a signed
> DS for pds.nasa.gov there and provably correct and no signatures
> for other pds.nasa.gov queries that were returned we would reject
> those as well.

If the query is run with +cdflag=1 then you get an A record back, agreed?

I think (in the absence of attacks) I would expect +cdflag=1 responses to agree, 
with the only exception being that checking can produce ServerFail.

I'm not yet convinced one way or the other, maybe it doesn't matter in the end.
I just think ServerFail is a more accurate categorisation of this situation from a practical
point of view, with meaning "something is wrong with the DNS / we are under attack".
NameError seems slightly misleading, when there is concrete evidence of a mis-configuration.

I don't think the standard has anything to say on this ( please correct me if I'm wrong ).

George

> Mark
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the dns-operations mailing list