[dns-operations] DNSSEC at ICANN: still no check?
🔒 Roy Arends
roy at dnss.ec
Mon Jan 20 16:37:50 UTC 2014
On 20 Jan 2014, at 16:29, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> On Mon, Jan 20, 2014 at 04:24:53PM +0000,
> ? Roy Arends <roy at dnss.ec> wrote
> a message of 121 lines which said:
>> I don’t understand the problem. Do you expect nic.red to be
> Not at all. I expect its non-signature to be validated, but it isn’t.
The problem is indeed the absence of type NS in the type bit maps, as you (and Peter van
Dijk) showed in your previous mail.
According to RFC5155:
8.9. Validating Referrals to Unsigned Subzones
The delegation name in a referral is the owner name of the NS RRSet
present in the authority section of the referral response.
If there is an NSEC3 RR present in the response that matches the
delegation name, then the validator MUST ensure that the NS bit is
set and that the DS bit is not set in the Type Bit Maps field of the
“Must ensure that the NS bit is set and that the DS bit is not set”.
Since NS bit wasn’t set in the NSEC3 record…
> % dig SOA nic.red
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> SOA nic.red
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54620
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;nic.red. IN SOA
> ;; Query time: 712 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Mon Jan 20 17:29:20 2014
> ;; MSG SIZE rcvd: 36
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the dns-operations