On Wed, Aug 18, 2010 at 4:33 PM, Paul Wouters <p...@xelerance.com> wrote:
> On Wed, 18 Aug 2010, Casey Deccio wrote: > > Using BIND 9.6.2-P2 and 9.7.1.P2 configured for DNSSEC validation with DLV >> I experience the following issue. When I >> attempt to resolve www.jobcorps.gov I get a SERVFAIL message. The >> authoritative servers return an RRSIG covering the >> A RR, but the resolver is unable to validate it because it cannot retrieve >> the DNSKEYs. The servers are attempting to >> send packets exceeding their PMTU and they apparently don't accept TCP >> connections, which means that a resolver can't >> get a complete response for DNSKEYs. >> >> Despite the server misconfigurations, the delegation from .GOV is >> insecure, so ultimately the result should return a >> insecure data, rather than failure. Thoughts? >> > > If the domain is in the DLV, then it is treated as having a secure entry > point just as if the parent had a DS record, and any missing DNSKEY's > is considered a downgrade attack to lure you into spoofed faked data. > > True, but only .GOV is registered in the DLV, jobcorps.gov is not. Incidentally, unbound returns an insecure response for this. Regards, Casey
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users