[dns-operations] Google DNS ignores DNSSEC validation failure
Casey Deccio
casey at deccio.net
Thu Sep 29 13:17:51 UTC 2016
Hi Daniel,
On Thu, Sep 29, 2016 at 8:49 AM, Daniel Stirnimann <
daniel.stirnimann at switch.ch> wrote:
> I've added an unsigned zone insecuretest.switch.ch but did not add the
> delegation in the parent zone. Thus, on validating resolvers a lookup
> returns SERVFAIL.
>
I can't speak for Google, but in general how this is handled depends on
resolver implementation. The SERVFAIL here isn't really because of a
validation failure; it is because the resolver is getting inconsistent
results when communicating with the authoritative server, while querying to
establish a chain of trust. When it asks for insecuretest.switch.ch/DS,
the query is answered from the parent zone (switch.ch), and the result is
NXDOMAIN because there is no delegation in the parent zone.
http://dnsviz.net/d/insecuretest.switch.ch/V-0R1g/dnssec/
Note that the NSEC proof accompanying the NXDOMAIN response is valid. When
it asks for insecuretest.switch.ch/A the query is answered from the child
zone, and the name exists--even if the record doesn't. The inconsistent
NXDOMAIN/NOERROR response can cause a server to respond with SERVFAIL, but
it depends on the order the queries, among other things.
Cheers,
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160929/88e64872/attachment.html>
More information about the dns-operations
mailing list