[dns-operations] Validation anomalies under gpo.gov

Brian Somers bsomers at opendns.com
Sat Apr 4 02:47:09 UTC 2020

> On Apr 3, 2020, at 1:49 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> The AD=1 replies from Google and Verisign are not "wrong".  They just
> reflect the fact that any ancestor zone is in principle free to bypass
> delegation and return "unexpected" signed answers for a child domain,
> legitimately or otherwise.  Of course if a TLD were found doing that
> for nefarious reasons, there'd be a major "covfefe”.

That didn’t occur to me, but yes, I agree.  If the access.gpo.gov/NS RRset is
considered BOGUS (it should be signed) and because of that the delegation
(to self) is considered “not present" then google & verisign are correct!

I wonder if this is some sort of canary domain?!

In our case, we deduce that there IS a delegation point.  If we haven’t looked
for the authoritative access.gpo.gov/NS, we use the glue, find the
permanent.access.gpo.gov/A RRset and consider it BOGUS because of the
out-of-bailiwick sig.  If we are asked specifically for access.gpo.gov/NS, we
look it up and return SERVFAIL because of the missing RRSIG(s), *BUT*
the cached BOGUS state doesn’t stop us from using the NS RRset!

I wonder if it’s better behaviour to ignore BOGUS NS RRsets (given that
they can only be declared BOGUS if they came from the authority as
opposed to being supplied as glue)?  And does that bring us back to the
conversation about



More information about the dns-operations mailing list