DS queries on parents vs. "correct behaviour" in answering

Mark Andrews marka at isc.org
Sat Dec 4 22:04:28 UTC 2010 

In message <02d001cb93f5$513ca2b0$f3b5e810$@janssen at eurid.eu>, "Peter Janssen" 
writes:
> When a validating resolver queries the parent of a zone for the DS
> record(s),
> and the (child) zone is NOT signed,  the response contains no answer
> but it does contain NSEC (NSEC3) record(s) in the authority section
> together with corresponding RRSIG records (parent zone is signed).
> Would it be considered ok, harmfull, not allowed, (any other word)
> to include in that answer the NS RRSET for the child zone
> (obviously without any RRSIG)?
> 
> Against RFC? Not specified?
> Would it break resolvers?  Any or all implementations?
> 
> What do you think?

The server is broken.  The DS records are part of the parent zone
and the authority section should reflect that.  DNSSEC unaware parent
servers return referrals to the child zone.  A resolver see such a
referral is likely to just drop the response and move on to the next
server.

I suspect you are asking this because of x.dns.be's answers.  Note
the anwer is also missing the SOA record required for negative caching
(RFC 2308).

Mark

; <<>> DiG 9.6.0-APPLE-P2 <<>> foo.be +dnssec @x.dns.be +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40730
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;foo.be.				IN	A

;; AUTHORITY SECTION:
foo.be.			86400	IN	NS	ns6.gandi.net.
foo.be.			86400	IN	NS	ka.quuxlabs.com.
ba141snrnoe1rc9mddgrest23g657rir.be. 600 IN NSEC3 1 1 5 1A4E9B6C BB7ONI6L9S8J5E3K6HUQ7C41J1AN85CR NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
ba141snrnoe1rc9mddgrest23g657rir.be. 600 IN RRSIG NSEC3 8 2 600 20101207140244 20101130135115 61344 be. ZzvHV36wtbQ9woSfpc6nltz+tPc9GStoiEj4Fux+w70xkroPgjCtXhoY jC1uErBEAIKVoMKijb4TbFkssppxTZPvsqqYO3nE6ANWm85pHpP/q9VI eMk8RKcopptowjT9opikpvOJnOxlq3zTWBBoUjpyc6ZhJAPun3RPbQg5 Lfw=
040gpts32ds6q6unjgf8eh7bpal1m1ik.be. 600 IN NSEC3 1 1 5 1A4E9B6C 06JFHM0ATMQQJ2C08HOFHCO313VOSEEG NS DS RRSIG
040gpts32ds6q6unjgf8eh7bpal1m1ik.be. 600 IN RRSIG NSEC3 8 2 600 20101207152009 20101130151117 61344 be. Rk1cwdoDfSo99pNPyBzducYv3CRa4qh3fpQmJifDWCxnR3WIAElwaqrV dh9czL06jPBBGFTJLzSYs+jbxmrt/iK3EE7E/0Z+AJiZTMBhO+LOY2YM U2sU9SX7/cZvtKvIN73/HI1VegcNrDFCqrJvU9zsaUmDwynLGqolzWBV tGI=

;; Query time: 483 msec
;; SERVER: 2001:678:4::a#53(2001:678:4::a)
;; WHEN: Sun Dec  5 09:00:21 2010
;; MSG SIZE  rcvd: 620

> Thanks.
> 
> --Pj.
> =A0=A0=A0 =
> 
> 
> 
> 
> 
> 
> 
> Register your .eu domain name and win an iPod touch this X-Mas
> http://www.winwith.eu
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list