[dns-operations] Bind 9.8.0 intermittent problem with non-recursive responses
Carlos Vicente
cvicente.lists at gmail.com
Fri May 20 17:53:23 UTC 2011
So, if I understand you correctly, if I were to sign my authoritative
zone and my caching nameserver, which is "bogus" for this zone, is
dnssec enabled, and also validating, and no other validating
nameserver is querying this bogus nameserver, then it's OK?
cv
On Thu, May 19, 2011 at 11:16 PM, Marc Lampo <marc.lampo at eurid.eu> wrote:
> Implementation specific, probably, but with Bind it's the authoritative
> part that wins !
>
> (assuming the caching name server is DNSSEC enabled, possibly even
> validating DNSSEC, then)
>
> If Bind is caching for all,
> but authoritative for some domains (I think this is called : "bogus for
> some domains"),
> a query for something in those domains where it is bogus,
> gets a reply with "AA" set.
> This regardless of the fact if the official/public domain has or has no
> DNSSEC information itself.
> --> so, the bogus name server will produce acceptable results
> (yes, we - the Internet community - has been doing this for years,
> make our caching name server bogus for our own public domains)
>
> But the problem is for "validating resolvers" (like validating forwarding
> name server),
> that use this name server :
> because the validating resolver asks for DS records,
> because the DS records are in the *parent* zone,
> the validating resolver gets DS records (for public, signed, domains)
> and will *insist* on replies it can validate (signed with correct key).
> If the "bogus" domain is not signed, that will fail ...
>
> (cfr http://www.eurid.eu/files/Insights_DNSSEC2.pdf,
> combine info on pages 15+16 (bogus NS) and 17+18 (forwarding NS)
> )
>
> Kind regards,
>
> Marc Lampo
> Security Officer
> EURid
>
>
>
More information about the bind-users
mailing list