RRSIGs without DNSKEYs in insecure zone
Casey Deccio
casey at deccio.net
Wed Aug 18 23:39:04 UTC 2010
On Wed, Aug 18, 2010 at 4:33 PM, Paul Wouters <paul at xelerance.com> wrote:
> On Wed, 18 Aug 2010, Casey Deccio wrote:
>
> Using BIND 9.6.2-P2 and 9.7.1.P2 configured for DNSSEC validation with DLV
>> I experience the following issue. When I
>> attempt to resolve www.jobcorps.gov I get a SERVFAIL message. The
>> authoritative servers return an RRSIG covering the
>> A RR, but the resolver is unable to validate it because it cannot retrieve
>> the DNSKEYs. The servers are attempting to
>> send packets exceeding their PMTU and they apparently don't accept TCP
>> connections, which means that a resolver can't
>> get a complete response for DNSKEYs.
>>
>> Despite the server misconfigurations, the delegation from .GOV is
>> insecure, so ultimately the result should return a
>> insecure data, rather than failure. Thoughts?
>>
>
> If the domain is in the DLV, then it is treated as having a secure entry
> point just as if the parent had a DS record, and any missing DNSKEY's
> is considered a downgrade attack to lure you into spoofed faked data.
>
>
True, but only .GOV is registered in the DLV, jobcorps.gov is not.
Incidentally, unbound returns an insecure response for this.
Regards,
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100818/946f2653/attachment.html>
More information about the bind-users
mailing list