DS queries on parents vs. "correct behaviour" in answering

Mark Andrews marka at isc.org
Sat Dec 4 22:08:01 UTC 2010 

Mark Andrews writes:
> 
> In message <02d001cb93f5$513ca2b0$f3b5e810$@janssen at eurid.eu>, "Peter Janssen
> " 
> writes:
> > When a validating resolver queries the parent of a zone for the DS
> > record(s),
> > and the (child) zone is NOT signed,  the response contains no answer
> > but it does contain NSEC (NSEC3) record(s) in the authority section
> > together with corresponding RRSIG records (parent zone is signed).
> > Would it be considered ok, harmfull, not allowed, (any other word)
> > to include in that answer the NS RRSET for the child zone
> > (obviously without any RRSIG)?
> > 
> > Against RFC? Not specified?
> > Would it break resolvers?  Any or all implementations?
> > 
> > What do you think?
> 
> The server is broken.  The DS records are part of the parent zone
> and the authority section should reflect that.  DNSSEC unaware parent
> servers return referrals to the child zone.  A resolver see such a
> referral is likely to just drop the response and move on to the next
> server.
> 
> I suspect you are asking this because of x.dns.be's answers.  Note
> the anwer is also missing the SOA record required for negative caching
> (RFC 2308).
> 
> Mark

It helps if I have the right type in the question.

; <<>> DiG 9.6.0-APPLE-P2 <<>> foo.be +dnssec @x.dns.be +norec ds
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37780
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;foo.be.				IN	DS

;; AUTHORITY SECTION:
foo.be.			86400	IN	NS	ns6.gandi.net.
foo.be.			86400	IN	NS	ka.quuxlabs.com.
ba141snrnoe1rc9mddgrest23g657rir.be. 600 IN NSEC3 1 1 5 1A4E9B6C BB7ONI6L9S8J5E3K6HUQ7C41J1AN85CR NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
ba141snrnoe1rc9mddgrest23g657rir.be. 600 IN RRSIG NSEC3 8 2 600 20101207140244 20101130135115 61344 be. ZzvHV36wtbQ9woSfpc6nltz+tPc9GStoiEj4Fux+w70xkroPgjCtXhoY jC1uErBEAIKVoMKijb4TbFkssppxTZPvsqqYO3nE6ANWm85pHpP/q9VI eMk8RKcopptowjT9opikpvOJnOxlq3zTWBBoUjpyc6ZhJAPun3RPbQg5 Lfw=
040gpts32ds6q6unjgf8eh7bpal1m1ik.be. 600 IN NSEC3 1 1 5 1A4E9B6C 06JFHM0ATMQQJ2C08HOFHCO313VOSEEG NS DS RRSIG
040gpts32ds6q6unjgf8eh7bpal1m1ik.be. 600 IN RRSIG NSEC3 8 2 600 20101207152009 20101130151117 61344 be. Rk1cwdoDfSo99pNPyBzducYv3CRa4qh3fpQmJifDWCxnR3WIAElwaqrV dh9czL06jPBBGFTJLzSYs+jbxmrt/iK3EE7E/0Z+AJiZTMBhO+LOY2YM U2sU9SX7/cZvtKvIN73/HI1VegcNrDFCqrJvU9zsaUmDwynLGqolzWBV tGI=

;; Query time: 483 msec
;; SERVER: 2001:678:4::a#53(2001:678:4::a)
;; WHEN: Sun Dec  5 09:06:10 2010
;; MSG SIZE  rcvd: 620

> 
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> foo.be +dnssec @x.dns.be +norec
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40730
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;foo.be.				IN	A
> 
> ;; AUTHORITY SECTION:
> foo.be.			86400	IN	NS	ns6.gandi.net.
> foo.be.			86400	IN	NS	ka.quuxlabs.com.
> ba141snrnoe1rc9mddgrest23g657rir.be. 600 IN NSEC3 1 1 5 1A4E9B6C BB7ONI6L9S8J
> 5E3K6HUQ7C41J1AN85CR NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
> ba141snrnoe1rc9mddgrest23g657rir.be. 600 IN RRSIG NSEC3 8 2 600 2010120714024
> 4 20101130135115 61344 be. ZzvHV36wtbQ9woSfpc6nltz+tPc9GStoiEj4Fux+w70xkroPgj
> CtXhoY jC1uErBEAIKVoMKijb4TbFkssppxTZPvsqqYO3nE6ANWm85pHpP/q9VI eMk8RKcopptow
> jT9opikpvOJnOxlq3zTWBBoUjpyc6ZhJAPun3RPbQg5 Lfw=
> 040gpts32ds6q6unjgf8eh7bpal1m1ik.be. 600 IN NSEC3 1 1 5 1A4E9B6C 06JFHM0ATMQQ
> J2C08HOFHCO313VOSEEG NS DS RRSIG
> 040gpts32ds6q6unjgf8eh7bpal1m1ik.be. 600 IN RRSIG NSEC3 8 2 600 2010120715200
> 9 20101130151117 61344 be. Rk1cwdoDfSo99pNPyBzducYv3CRa4qh3fpQmJifDWCxnR3WIAE
> lwaqrV dh9czL06jPBBGFTJLzSYs+jbxmrt/iK3EE7E/0Z+AJiZTMBhO+LOY2YM U2sU9SX7/cZvt
> KvIN73/HI1VegcNrDFCqrJvU9zsaUmDwynLGqolzWBV tGI=
> 
> ;; Query time: 483 msec
> ;; SERVER: 2001:678:4::a#53(2001:678:4::a)
> ;; WHEN: Sun Dec  5 09:00:21 2010
> ;; MSG SIZE  rcvd: 620
> 
> > Thanks.
> > 
> > --Pj.
> > =A0=A0=A0 =
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > Register your .eu domain name and win an iPod touch this X-Mas
> > http://www.winwith.eu
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list