Mark Andrews writes: > > In message <02d001cb93f5$513ca2b0$f3b5e8...@janssen@eurid.eu>, "Peter Janssen > " > writes: > > When a validating resolver queries the parent of a zone for the DS > > record(s), > > and the (child) zone is NOT signed, the response contains no answer > > but it does contain NSEC (NSEC3) record(s) in the authority section > > together with corresponding RRSIG records (parent zone is signed). > > Would it be considered ok, harmfull, not allowed, (any other word) > > to include in that answer the NS RRSET for the child zone > > (obviously without any RRSIG)? > > > > Against RFC? Not specified? > > Would it break resolvers? Any or all implementations? > > > > What do you think? > > The server is broken. The DS records are part of the parent zone > and the authority section should reflect that. DNSSEC unaware parent > servers return referrals to the child zone. A resolver see such a > referral is likely to just drop the response and move on to the next > server. > > I suspect you are asking this because of x.dns.be's answers. Note > the anwer is also missing the SOA record required for negative caching > (RFC 2308). > > Mark
It helps if I have the right type in the question. ; <<>> DiG 9.6.0-APPLE-P2 <<>> foo.be +dnssec @x.dns.be +norec ds ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37780 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;foo.be. IN DS ;; AUTHORITY SECTION: foo.be. 86400 IN NS ns6.gandi.net. foo.be. 86400 IN NS ka.quuxlabs.com. ba141snrnoe1rc9mddgrest23g657rir.be. 600 IN NSEC3 1 1 5 1A4E9B6C BB7ONI6L9S8J5E3K6HUQ7C41J1AN85CR NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534 ba141snrnoe1rc9mddgrest23g657rir.be. 600 IN RRSIG NSEC3 8 2 600 20101207140244 20101130135115 61344 be. ZzvHV36wtbQ9woSfpc6nltz+tPc9GStoiEj4Fux+w70xkroPgjCtXhoY jC1uErBEAIKVoMKijb4TbFkssppxTZPvsqqYO3nE6ANWm85pHpP/q9VI eMk8RKcopptowjT9opikpvOJnOxlq3zTWBBoUjpyc6ZhJAPun3RPbQg5 Lfw= 040gpts32ds6q6unjgf8eh7bpal1m1ik.be. 600 IN NSEC3 1 1 5 1A4E9B6C 06JFHM0ATMQQJ2C08HOFHCO313VOSEEG NS DS RRSIG 040gpts32ds6q6unjgf8eh7bpal1m1ik.be. 600 IN RRSIG NSEC3 8 2 600 20101207152009 20101130151117 61344 be. Rk1cwdoDfSo99pNPyBzducYv3CRa4qh3fpQmJifDWCxnR3WIAElwaqrV dh9czL06jPBBGFTJLzSYs+jbxmrt/iK3EE7E/0Z+AJiZTMBhO+LOY2YM U2sU9SX7/cZvtKvIN73/HI1VegcNrDFCqrJvU9zsaUmDwynLGqolzWBV tGI= ;; Query time: 483 msec ;; SERVER: 2001:678:4::a#53(2001:678:4::a) ;; WHEN: Sun Dec 5 09:06:10 2010 ;; MSG SIZE rcvd: 620 > > ; <<>> DiG 9.6.0-APPLE-P2 <<>> foo.be +dnssec @x.dns.be +norec > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40730 > ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;foo.be. IN A > > ;; AUTHORITY SECTION: > foo.be. 86400 IN NS ns6.gandi.net. > foo.be. 86400 IN NS ka.quuxlabs.com. > ba141snrnoe1rc9mddgrest23g657rir.be. 600 IN NSEC3 1 1 5 1A4E9B6C BB7ONI6L9S8J > 5E3K6HUQ7C41J1AN85CR NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534 > ba141snrnoe1rc9mddgrest23g657rir.be. 600 IN RRSIG NSEC3 8 2 600 2010120714024 > 4 20101130135115 61344 be. ZzvHV36wtbQ9woSfpc6nltz+tPc9GStoiEj4Fux+w70xkroPgj > CtXhoY jC1uErBEAIKVoMKijb4TbFkssppxTZPvsqqYO3nE6ANWm85pHpP/q9VI eMk8RKcopptow > jT9opikpvOJnOxlq3zTWBBoUjpyc6ZhJAPun3RPbQg5 Lfw= > 040gpts32ds6q6unjgf8eh7bpal1m1ik.be. 600 IN NSEC3 1 1 5 1A4E9B6C 06JFHM0ATMQQ > J2C08HOFHCO313VOSEEG NS DS RRSIG > 040gpts32ds6q6unjgf8eh7bpal1m1ik.be. 600 IN RRSIG NSEC3 8 2 600 2010120715200 > 9 20101130151117 61344 be. Rk1cwdoDfSo99pNPyBzducYv3CRa4qh3fpQmJifDWCxnR3WIAE > lwaqrV dh9czL06jPBBGFTJLzSYs+jbxmrt/iK3EE7E/0Z+AJiZTMBhO+LOY2YM U2sU9SX7/cZvt > KvIN73/HI1VegcNrDFCqrJvU9zsaUmDwynLGqolzWBV tGI= > > ;; Query time: 483 msec > ;; SERVER: 2001:678:4::a#53(2001:678:4::a) > ;; WHEN: Sun Dec 5 09:00:21 2010 > ;; MSG SIZE rcvd: 620 > > > Thanks. > > > > --Pj. > > =A0=A0=A0 = > > > > > > > > > > > > > > > > Register your .eu domain name and win an iPod touch this X-Mas > > http://www.winwith.eu > > _______________________________________________ > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users