RRSIGs without DNSKEYs in insecure zone
Casey Deccio
casey at deccio.net
Wed Aug 18 23:11:56 UTC 2010
Using BIND 9.6.2-P2 and 9.7.1.P2 configured for DNSSEC validation with DLV I
experience the following issue. When I attempt to resolve
www.jobcorps.govI get a SERVFAIL message. The authoritative servers
return an RRSIG
covering the A RR, but the resolver is unable to validate it because it
cannot retrieve the DNSKEYs. The servers are attempting to send packets
exceeding their PMTU and they apparently don't accept TCP connections, which
means that a resolver can't get a complete response for DNSKEYs.
Despite the server misconfigurations, the delegation from .GOV is insecure,
so ultimately the result should return a insecure data, rather than
failure. Thoughts?
Regards,
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100818/4b5733c5/attachment.html>
More information about the bind-users
mailing list