[dns-operations] Trouble with qa.ws.igt.fiscal.treasury.gov

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Oct 18 15:58:59 UTC 2022


On Tue, Oct 18, 2022 at 05:56:25PM +1100, Mark Andrews wrote:

> > However, resolvers generally don't send explicit DS queries.  Instead,
> > when the parent zone is signed, they set the DO bit and expect any
> > referrals to either include the signed DS records, or authenticated
> > denial of existence thereof.
> 
> What resolver doesn’t make DS queries?  BIND makes DS queries.  If you
> have reasonable testing insecure delegations (signed -> unsigned as well
> as signed -> signed (no DS)) from the same server should be part of your
> test suite.

Yes "generally" was the wrong word.  For one it seems that DNSViz is
not doing the right thing.  And I did observe problems problems via
CloudFlare yesterday, and guessed they were related.  Not able to
reproduce them just now.

By the way is the validation workflow used in BIND written up somewhere
as a separate document, or are the comments in the code the best way to
understand how BIND validates names below a trust anchor (finding either
a valid signature or an insecure delegation).

-- 
    Viktor.


More information about the dns-operations mailing list