Question about resolver

Mark Andrews marka at isc.org
Fri Apr 26 20:28:42 UTC 2024 

DS records live in the parent zone and the RFC 1034 rules for serving zone break down when a grandparent zone and child zone are served by the same server.  This is corrected be the client by looking for intermediate NS records to find the hidden delegations then resuming the DS lookup.  

Named was looking up theses NS records I.e. chasing the DS servers.   This can result in named finding delegation errors.  QNAME minimisation also exposes these errors as it also does NS queries.  Garbage in breakage out. 
-- 
Mark Andrews

> On 27 Apr 2024, at 00:45, J Doe <general at nativemethods.com> wrote:
> 
> On 2024-04-25 08:55, Josh Kuo wrote:
> 
>> DS = Delegation Signer, it is the record type that a signed child upload
>> to the parent zone. It's difficult to say for sure without more
>> information such as which domain name you are trying to resolve, but
>> looks like it is probably due to a mis-matching DS record between the
>> child and the parent (security lameness).
>> 
>> You can use tools such as
>> https://dnssec-analyzer.verisignlabs.com/online
>> <https://dnssec-analyzer.verisignlabs.com/online> to help you analyze
>> further. If you need to refresh your knowledge on how DNSSEC works, see
>> the ISC DNSSEC Guide:
>> https://bind9.readthedocs.io/en/v9.18.14/dnssec-guide.html
>> <https://bind9.readthedocs.io/en/v9.18.14/dnssec-guide.html>
>> 
>> -Josh
> 
> Hi Josh,
> 
> Thank you for your prompt reply!
> 
> In this particular case, isn't the resolver attempting to do a reverse
> lookup of the IP address that's listed ?
> 
> Secondly, I'm still not entirely sure what the phrasing "chase DS
> servers" means.  I am aware of the DS RR type.
> 
> As a side-note:  I believe the "lame-servers" here is a function of me
> configuring QNAME minimization to "relaxed".
> 
> Thanks,
> 
> - J
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list