[dns-operations] [DNSSEC] Resolver behavior with broken DS records

George Barwood george.barwood at blueyonder.co.uk
Fri May 6 09:57:20 UTC 2011

----- Original Message ----- 
From: "Stephane Bortzmeyer" <bortzmeyer at nic.fr>
To: <dns-operations at lists.dns-oarc.net>
Sent: Friday, May 06, 2011 9:18 AM
Subject: [dns-operations] [DNSSEC] Resolver behavior with broken DS records

> In an (involuntary) experiment under .FR, I discovered that the rule
> "at least one DS must match for a child zone to be authenticated" is
> wrong if a broken DS is present. In our case, the field Algorithm in
> the DS did not match the one in the DNSKEY. While there was another
> correct DS for the child zone, both BIND and Unbound servfailed. So,
> the incorrect DS made the child zone bogus.
> Is it normal and expected behavior or a bug common to these two name
> servers?

I think this is normal behavior. I think ( although I may be wrong, my memory is bad and I haven't re-read the standard very recently ) that the standard doesn't have much to say on this.

A hypothetical resolver that only supported the algorithm in the broken DS would certainly return ServerFail.

I think resolvers are free to do any of the following:

(1) Attempt to find an algorithm that validates, and set AD on any success.
Only report ServerFail if all the known algorithms fail.

(2) Try all known algorithms, and insist they all succeed before setting AD
( this provides security where multiple algorithms are used and an attacker cannot
break them all ). If any fail, return ServerFail.

(3) Try known algorithms until either a success or failure occurs, and use that to set AD.


> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list