[dns-operations] DNSSEC at ICANN: still no check?

🔒 Roy Arends roy at dnss.ec
Mon Jan 20 16:37:50 UTC 2014


On 20 Jan 2014, at 16:29, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:

> On Mon, Jan 20, 2014 at 04:24:53PM +0000,
> ? Roy Arends <roy at dnss.ec> wrote 
> a message of 121 lines which said:
> 
>> I don’t understand the problem. Do you expect nic.red to be
>> dnssec-signed?
> 
> Not at all. I expect its non-signature to be validated, but it isn’t.

Ahhhh, gotcha.

The problem is indeed the absence of type NS in the type bit maps, as you (and Peter van
Dijk) showed in your previous mail.

According to RFC5155:

8.9.  Validating Referrals to Unsigned Subzones

   The delegation name in a referral is the owner name of the NS RRSet
   present in the authority section of the referral response.

   If there is an NSEC3 RR present in the response that matches the
   delegation name, then the validator MUST ensure that the NS bit is
   set and that the DS bit is not set in the Type Bit Maps field of the
   NSEC3 RR. 


“Must ensure that the NS bit is set and that the DS bit is not set”.

Good catch.

Since NS bit wasn’t set in the NSEC3 record…


Roy





> 
> 
> % dig SOA nic.red
> 
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> SOA nic.red
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54620
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;nic.red.		IN SOA
> 
> ;; Query time: 712 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Mon Jan 20 17:29:20 2014
> ;; MSG SIZE  rcvd: 36
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140120/8d905902/attachment.sig>


More information about the dns-operations mailing list