[dns-operations] Validating or not validating (ICANN controlled interruption)

Peter van Dijk peter.van.dijk at netherlabs.nl
Wed Sep 3 08:01:42 UTC 2014

Hello Stephane,

On 03 Sep 2014, at 9:00 , Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:

> BIND validates "A nimportequoi.otsuka" and yields an answer with AD bit
> set.
> Unbound gives back the answer but without the AD bit.
> [Try it yourself, 'dig @unbound.odvr.dns-oarc.net A
> nimportequoi.otsuka' and 'dig @bind.odvr.dns-oarc.net A nimportequoi.otsuka']
> In some cases (difficult to pinpoint, depending on the resolver's
> state), both BIND and Unbound return SERVFAIL.
> Who's right?

Haven’t seen SERVFAILs from either, so can’t answer about those. But Unbound
is right. The NSEC3 that covers the name you are asking for has the opt-out
flag set, and hence the denial is insecure (but not bogus). Setting AD is, to
my knowledge, not valid here.

> PS: dnsviz claims that names like eb2dz5xm4s.otsuka are "secure,
> non-existent" while they elicit an answer.

This is also normal. For a wildcard to be allowed to use for synthesis, the
actual name needs to be proven non-existent in the zone.

Kind regards,
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140903/d62c2b6f/attachment.sig>

More information about the dns-operations mailing list