[dns-operations] unbound-bind chain causing validation failures on synthesized records

Andrew Sullivan ajs at anvilwalrusden.com
Tue Jul 10 11:21:29 UTC 2012

On Tue, Jul 10, 2012 at 10:21:59AM +1000, Mark Andrews wrote:

> CD=1 in Section 5.9 of draft-ietf-dnsext-dnssec-bis-updates.  Making
> CD=0 queries forces the recursive server to try multiple authoritative
> servers until it gets a answer which validates or it exhausts the
> available authoritative servers and retries.

I think your analysis shows that there is a possible issue here, but
it seems to me this could be corrected just as well if the validating
recursive server validates anyway on CD=1, and tries an additional
authoritative server until it gets the answer that validates; however,
if it exhausts them and can't validate, then instead of failing it
passes on the answer it got.  (As an optimization for speed: it passes
on the first answer it got, whatever the validation state, but then
proceeds with its own validation attempts before filling its cache.)
As near as I can tell, this way of proceeding is still perfectly
compliant.  CD=1 can't override local policy at the recursive
resolver; it can only direct the server about how to respond in case
of validation failure.



Andrew Sullivan
ajs at anvilwalrusden.com

More information about the dns-operations mailing list