[dns-operations] Google DNS ignores DNSSEC validation failure

Casey Deccio casey at deccio.net
Thu Sep 29 13:17:51 UTC 2016

Hi Daniel,

On Thu, Sep 29, 2016 at 8:49 AM, Daniel Stirnimann <
daniel.stirnimann at switch.ch> wrote:

> I've added an unsigned zone insecuretest.switch.ch but did not add the
> delegation in the parent zone. Thus, on validating resolvers a lookup
> returns SERVFAIL.

I can't speak for Google, but in general how this is handled depends on
resolver implementation.  The SERVFAIL here isn't really because of a
validation failure; it is because the resolver is getting inconsistent
results when communicating with the authoritative server, while querying to
establish a chain of trust.  When it asks for insecuretest.switch.ch/DS,
the query is answered from the parent zone (switch.ch), and the result is
NXDOMAIN because there is no delegation in the parent zone.


Note that the NSEC proof accompanying the NXDOMAIN response is valid.  When
it asks for insecuretest.switch.ch/A the query is answered from the child
zone, and the name exists--even if the record doesn't.  The inconsistent
NXDOMAIN/NOERROR response can cause a server to respond with SERVFAIL, but
it depends on the order the queries, among other things.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160929/88e64872/attachment.html>

More information about the dns-operations mailing list