[dns-operations] unbound-bind chain causing validation failures on synthesized records
Andrew Sullivan
ajs at anvilwalrusden.com
Tue Jul 10 11:21:29 UTC 2012
On Tue, Jul 10, 2012 at 10:21:59AM +1000, Mark Andrews wrote:
> CD=1 in Section 5.9 of draft-ietf-dnsext-dnssec-bis-updates. Making
> CD=0 queries forces the recursive server to try multiple authoritative
> servers until it gets a answer which validates or it exhausts the
> available authoritative servers and retries.
I think your analysis shows that there is a possible issue here, but
it seems to me this could be corrected just as well if the validating
recursive server validates anyway on CD=1, and tries an additional
authoritative server until it gets the answer that validates; however,
if it exhausts them and can't validate, then instead of failing it
passes on the answer it got. (As an optimization for speed: it passes
on the first answer it got, whatever the validation state, but then
proceeds with its own validation attempts before filling its cache.)
As near as I can tell, this way of proceeding is still perfectly
compliant. CD=1 can't override local policy at the recursive
resolver; it can only direct the server about how to respond in case
of validation failure.
Best,
A
--
Andrew Sullivan
ajs at anvilwalrusden.com
More information about the dns-operations
mailing list