[dns-operations] Another possible .gov validation problem?
Edward Lewis
Ed.Lewis at neustar.biz
Mon Feb 14 02:04:53 UTC 2011
At 0:10 +0000 2/14/11, George Barwood wrote:
> I think ServerFail is possibly a bit more informative, as it shows
>someting has definitely gone wrong, whereas NameError can be a "normal"
>state of affairs.
>
>So I can see arguments on both sides, but is there any important reason
>to favour NameError (NXDOMAIN) ?
Name servers are not the same as zones. Name servers are transparent
in the data plane. This is what has to be in mind then thinking
about this.
Let's say machine A is authoritative for nasa.gov.
Let's say machine B is authoritative for nasa.gov. and pds.nasa.gov.
And let's say that in the zone for nasa.gov. there are no records at
all for pds.nasa.gov and that there is nothing below it. I.e., in
the data plane, it does not exist (per the definition of existence in
RFC 4592).
If a query for www.pds.nasa.gov/IN/TXT arrives at machine A, the
proper response is NXDOMAIN because there is no record of
pds.nasa.gov. (Consult RFC 1034's section 4.3.2. algorithm and add
in all changes to it. Look in step 3.)
If the same query arrives at machine B, the proper response will be
taken from the pds.nasa.gov zone because, same algorithm, step 2.
With this, and without DNSSEC validation, you will get a result.
Now if you try to validate with a trust anchor for root/gov/nasa.gov,
you will not find a DS record for pds.nasa.gov from either machine A
or B because that name does not exist in the data plane. The
difference is due to step 2, the DS would not be in the same zone as
the other data.
DNSSEC is proving that machine B is in a sense "rogue" in claiming
there is a zone pds.nasa.gov. In the data plane, nasa.gov is the
zone with authority to answer and is says it does not exist.
What is the right answer? For machine A it is NXDOMAIN. For Machine
B it is a DNSSEC-delivered SERVFAIL. Machine A isn't aware of a
"threat", Machine B is essentially exposing one.
Both answers are right given the circumstances. Keep in mind that
zones can have overlapping sets of name servers. And keep in mind
that any given name server will answer from the closest enclosing
zone.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
Me to infant son: "Waah! Waah! Is that all you can say? Waah?"
Son: "Waah!"
More information about the dns-operations
mailing list