[dns-operations] DNSSEC at ICANN: still no check?
🔒 Roy Arends
roy at dnss.ec
Mon Jan 20 16:37:50 UTC 2014
On 20 Jan 2014, at 16:29, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> On Mon, Jan 20, 2014 at 04:24:53PM +0000,
> ? Roy Arends <roy at dnss.ec> wrote
> a message of 121 lines which said:
>
>> I don’t understand the problem. Do you expect nic.red to be
>> dnssec-signed?
>
> Not at all. I expect its non-signature to be validated, but it isn’t.
Ahhhh, gotcha.
The problem is indeed the absence of type NS in the type bit maps, as you (and Peter van
Dijk) showed in your previous mail.
According to RFC5155:
8.9. Validating Referrals to Unsigned Subzones
The delegation name in a referral is the owner name of the NS RRSet
present in the authority section of the referral response.
If there is an NSEC3 RR present in the response that matches the
delegation name, then the validator MUST ensure that the NS bit is
set and that the DS bit is not set in the Type Bit Maps field of the
NSEC3 RR.
“Must ensure that the NS bit is set and that the DS bit is not set”.
Good catch.
Since NS bit wasn’t set in the NSEC3 record…
Roy
>
>
> % dig SOA nic.red
>
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> SOA nic.red
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54620
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;nic.red. IN SOA
>
> ;; Query time: 712 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Mon Jan 20 17:29:20 2014
> ;; MSG SIZE rcvd: 36
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140120/8d905902/attachment.sig>
More information about the dns-operations
mailing list