[dns-operations] Another possible .gov validation problem?

Edward Lewis Ed.Lewis at neustar.biz
Mon Feb 14 02:04:53 UTC 2011 

At 0:10 +0000 2/14/11, George Barwood wrote:
>  I think ServerFail is possibly a bit more informative,  as it shows
>someting has definitely gone wrong, whereas NameError can be a "normal"
>state of affairs.
>
>So I can see arguments on both sides, but is there any important reason
>to favour NameError (NXDOMAIN) ?

Name servers are not the same as zones.  Name servers are transparent 
in the data plane.  This is what has to be in mind then thinking 
about this.

Let's say machine A is authoritative for nasa.gov.
Let's say machine B is authoritative for nasa.gov. and pds.nasa.gov.

And let's say that in the zone for nasa.gov. there are no records at 
all for pds.nasa.gov and that there is nothing below it.  I.e., in 
the data plane, it does not exist (per the definition of existence in 
RFC 4592).

If a query for www.pds.nasa.gov/IN/TXT arrives at machine A, the 
proper response is NXDOMAIN because there is no record of 
pds.nasa.gov.  (Consult RFC 1034's section 4.3.2. algorithm and add 
in all changes to it.  Look in step 3.)

If the same query arrives at machine B, the proper response will be 
taken from the pds.nasa.gov zone because, same algorithm, step 2. 
With this, and without DNSSEC validation, you will get a result.

Now if you try to validate with a trust anchor for root/gov/nasa.gov, 
you will not find a DS record for pds.nasa.gov from either machine A 
or B because that name does not exist in the data plane.  The 
difference is due to step 2, the DS would not be in the same zone as 
the other data.

DNSSEC is proving that machine B is in a sense "rogue" in claiming 
there is a zone pds.nasa.gov.  In the data plane, nasa.gov is the 
zone with authority to answer and is says it does not exist.

What is the right answer?  For machine A it is NXDOMAIN.  For Machine 
B it is a DNSSEC-delivered SERVFAIL.  Machine A isn't aware of a 
"threat", Machine B is essentially exposing one.

Both answers are right given the circumstances.  Keep in mind that 
zones can have overlapping sets of name servers.  And keep in mind 
that any given name server will answer from the closest enclosing 
zone.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Me to infant son: "Waah! Waah! Is that all you can say?  Waah?"
Son: "Waah!"

More information about the dns-operations mailing list