RRSIGs without DNSKEYs in insecure zone
Paul Wouters
paul at xelerance.com
Wed Aug 18 23:33:33 UTC 2010
On Wed, 18 Aug 2010, Casey Deccio wrote:
> Using BIND 9.6.2-P2 and 9.7.1.P2 configured for DNSSEC validation with DLV I experience the following issue. When I
> attempt to resolve www.jobcorps.gov I get a SERVFAIL message. The authoritative servers return an RRSIG covering the
> A RR, but the resolver is unable to validate it because it cannot retrieve the DNSKEYs. The servers are attempting to
> send packets exceeding their PMTU and they apparently don't accept TCP connections, which means that a resolver can't
> get a complete response for DNSKEYs.
>
> Despite the server misconfigurations, the delegation from .GOV is insecure, so ultimately the result should return a
> insecure data, rather than failure. Thoughts?
If the domain is in the DLV, then it is treated as having a secure entry
point just as if the parent had a DS record, and any missing DNSKEY's
is considered a downgrade attack to lure you into spoofed faked data.
Paul
More information about the bind-users
mailing list