DS queries on parents vs. "correct behaviour" in answering
When a validating resolver queries the parent of a zone for the DS record(s), and the (child) zone is NOT signed, the response contains no answer but it does contain NSEC (NSEC3) record(s) in the authority section together with corresponding RRSIG records (parent zone is signed). Would it be considered ok, harmfull, not allowed, (any other word) to include in that answer the NS RRSET for the child zone (obviously without any RRSIG)? Against RFC? Not specified? Would it break resolvers? Any or all implementations? What do you think? Thanks. --Pj. Register your .eu domain name and win an iPod touch this X-Mas http://www.winwith.eu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Dig 9.7 DNSSEC output
Or this one : # dig @j.ns.se se. dnskey +dnssec ; <<>> DiG 9.7.0-P1 <<>> @j.ns.se se. dnskey +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24743 ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;se.IN DNSKEY ;; ANSWER SECTION: se. 3600IN DNSKEY 257 3 5 Asnip... EaRlZigUCp8= se. 3600IN DNSKEY 257 3 5 Asnip 7TKYyQgsTlc= se. 3600IN DNSKEY 256 3 5 Asnip 2oXgSod9 se. 3600IN RRSIG DNSKEY 5 1 3600 20100515203911 20100509131031 39547 se. gsnip uAYDHw== se. 3600IN RRSIG DNSKEY 5 1 3600 20100517001830 20100509131031 8779 se. vsnip NRwr1A== ;; Query time: 17 msec ;; SERVER: 199.254.63.1#53(199.254.63.1) ;; WHEN: Sun May 9 18:54:10 2010 ;; MSG SIZE rcvd: 1311 One (1) additional announced, while there is not even an additional section. Maybe this is related to the EDNS0 stuff? --Pj. Peter Janssen Technical Manager Join us in June! EURid hosts ICANNs 38th meeting in Brussels. Find out more at brussels38.icann.org. EURid Woluwelaan 150 1831 Diegem - Belgium TEL.: +32 (0) 2 401 2750 peter.jans...@eurid.eu http://www.eurid.eu From: bind-users-bounces+peter.janssen=eurid...@lists.isc.org [mailto:bind-users-bounces+peter.janssen=eurid...@lists.isc.org] On Behalf Of Sten Carlsen Sent: Sunday, May 09, 2010 17:48 To: bind-users@lists.isc.org Subject: Re: Dig 9.7 DNSSEC output On 09/05/10 17:24, Peter Janssen wrote: Hi, might be me, but I don't get it. ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9 ADDITIONAL: 9 But as you count to 8, where is number 9. I seem to be counting as Peter here. The issue I have with this is, dig announces 9 additional section entries, while 3 A, 1 and 4 RRSIG, in my book sums up to 8. Without DNSSEC, it seems to be able to count correctly... # dig @ns.nic.se nic.se ns ; <<>> DiG 9.7.0-P1 <<>> @ns.nic.se nic.se ns ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4920 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;nic.se.IN NS ;; ANSWER SECTION: nic.se. 3600IN NS ns2.nic.se. nic.se. 3600IN NS ns.nic.se. nic.se. 3600IN NS ns3.nic.se. ;; ADDITIONAL SECTION: ns.nic.se. 3600IN A 212.247.7.228 ns.nic.se. 3600IN 2a00:801:f0:53::53 ns2.nic.se. 3600IN A 194.17.45.54 ns3.nic.se. 60 IN A 212.247.3.83 ;; Query time: 34 msec ;; SERVER: 212.247.7.228#53(212.247.7.228) ;; WHEN: Sun May 9 17:23:51 2010 ;; MSG SIZE rcvd: 153 Am I missing something? Or is this already reported? If so, what would be the correct channel? R. --Pj. Peter Janssen Technical Manager Join us in June! EURid hosts ICANNs 38th meeting in Brussels. Find out more at brussels38.icann.org. EURid Woluwelaan 150 1831 Diegem - Belgium TEL.: +32 (0) 2 401 2750 peter.jans...@eurid.eu http://www.eurid.eu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: "MALE BOVINE MANURE!!!" ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Dig 9.7 DNSSEC output
Hi Rick, as per the header of Dig output ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9 a part from that, I'm glad that my counting is still up to par :-) R. --Pj. Peter Janssen Technical Manager Join us in June! EURid hosts ICANNs 38th meeting in Brussels. Find out more at brussels38.icann.org. EURid Woluwelaan 150 1831 Diegem - Belgium TEL.: +32 (0) 2 401 2750 peter.jans...@eurid.eu http://www.eurid.eu From: R Dicaire [mailto:dicai...@gmail.com] Sent: Sunday, May 09, 2010 17:42 To: Peter Janssen Cc: bind-users@lists.isc.org Subject: Re: Dig 9.7 DNSSEC output On Sun, May 9, 2010 at 11:24 AM, Peter Janssen wrote: ;; ADDITIONAL SECTION: ns.nic.se. 3600 IN A 212.247.7.228 ns.nic.se. 3600 IN 2a00:801:f0:53::53 ns2.nic.se. 3600 IN A 194.17.45.54 ns3.nic.se. 60 IN A 212.247.3.83 ns.nic.se. 3600 IN RRSIG A 5 3 3600 20100517132001 20100507132001 20273 nic.se. TLTnkqESLN7DdoC2urF14ox1JolvUSCySe4oqYfof4ER/ZNNl8DO1P46 mSKpNxf3kNUJWoMkjBjtUgZgiMcVSuD7V6qTHLA2A8tEhnM4pXCeo/yj kirCEzo3YQzcW56BZVXgVe41K3QT4GpIm0rmTyEy+8ZCe7oeMKFem5PL Ibw= ns.nic.se. 3600 IN RRSIG 5 3 3600 20100517132001 20100507132001 20273 nic.se. HcUbk9y1aR9zeHOwNsqTtPL97P+ftyoQVAyTZbuPpr6GEzIsKL8MyQoP h4qyAkOHFWC2lgZ4xroHemR9OXa3JCLn1UtYE0UbgszUJWSJcQW+2ho3 GIsfEzVfJwMEomhvPuEyVfNxdaP87ITFTfNJcUvEApHCnYHO0RNgeEL0 l/Y= ns2.nic.se. 3600 IN RRSIG A 5 3 3600 20100517132001 20100507132001 20273 nic.se. fGqc3OIwmaYPFJoRrULGaUIRxGV+i6FJkcSZ4HRJL0x+siwVcTrIb+5t ER9woGl9sabyXH9H4aHc90ARABer0RodbnQSZDT7SPamDb97UP1ESBs2 Av9N43nr54M/ctLk8EZc1q7GblBK7inf7iY/AQsHTsFv1BWJOAYw+n4N YaM= ns3.nic.se. 60 IN RRSIG A 5 3 60 20100517132001 20100507132001 20273 nic.se. vTil1+1r3dOyV3zHdd53p2O5qnBHfexdwJVjx2E+G5z5FTqa50YRQYfH JwVHHertJcMo2wek/y2g0GBQJdkFTKwpJZv3IWWp9TYqJ3lCIYzoWxWV pzc7i+m2Ha3HupVY0e/tOJPKsiJu+LnyH3LJ66WV/xCRDjhZ8N6RONl5 xQU= I count 8 RRs. 3 A, 1 , 4 RRSIG. Where are you seeing 9? -- aRDy Music/Rick Dicaire http://www.ardynet.com http://linux.ardynet.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Dig 9.7 DNSSEC output
Hi, might be me, but I don't get it. # dig @ns.nic.se nic.se ns +dnssec ; <<>> DiG 9.7.0-P1 <<>> @ns.nic.se nic.se ns +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15071 ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;nic.se.IN NS ;; ANSWER SECTION: nic.se. 3600IN NS ns2.nic.se. nic.se. 3600IN NS ns3.nic.se. nic.se. 3600IN NS ns.nic.se. nic.se. 3600IN RRSIG NS 5 2 3600 20100517132001 20100507132001 20273 nic.se. Q9kNPVor5vCyji7XVDQMYAUcbhVTU43a/ftTBi04qXxe/AMkTO1m2C97 aRcSNG2dUWZsZ6TmaiqReMx1fARqjcP9fHHbdEtt3Oolvw9WH5KLd0Jg TnDql5bN1vUQpULOli86enlCBHCz5FWX5izQ7i+WmLKTI1zC+R9NYd3T G1g= ;; ADDITIONAL SECTION: ns.nic.se. 3600IN A 212.247.7.228 ns.nic.se. 3600IN 2a00:801:f0:53::53 ns2.nic.se. 3600IN A 194.17.45.54 ns3.nic.se. 60 IN A 212.247.3.83 ns.nic.se. 3600IN RRSIG A 5 3 3600 20100517132001 20100507132001 20273 nic.se. TLTnkqESLN7DdoC2urF14ox1JolvUSCySe4oqYfof4ER/ZNNl8DO1P46 mSKpNxf3kNUJWoMkjBjtUgZgiMcVSuD7V6qTHLA2A8tEhnM4pXCeo/yj kirCEzo3YQzcW56BZVXgVe41K3QT4GpIm0rmTyEy+8ZCe7oeMKFem5PL Ibw= ns.nic.se. 3600IN RRSIG 5 3 3600 20100517132001 20100507132001 20273 nic.se. HcUbk9y1aR9zeHOwNsqTtPL97P+ftyoQVAyTZbuPpr6GEzIsKL8MyQoP h4qyAkOHFWC2lgZ4xroHemR9OXa3JCLn1UtYE0UbgszUJWSJcQW+2ho3 GIsfEzVfJwMEomhvPuEyVfNxdaP87ITFTfNJcUvEApHCnYHO0RNgeEL0 l/Y= ns2.nic.se. 3600IN RRSIG A 5 3 3600 20100517132001 20100507132001 20273 nic.se. fGqc3OIwmaYPFJoRrULGaUIRxGV+i6FJkcSZ4HRJL0x+siwVcTrIb+5t ER9woGl9sabyXH9H4aHc90ARABer0RodbnQSZDT7SPamDb97UP1ESBs2 Av9N43nr54M/ctLk8EZc1q7GblBK7inf7iY/AQsHTsFv1BWJOAYw+n4N YaM= ns3.nic.se. 60 IN RRSIG A 5 3 60 20100517132001 20100507132001 20273 nic.se. vTil1+1r3dOyV3zHdd53p2O5qnBHfexdwJVjx2E+G5z5FTqa50YRQYfH JwVHHertJcMo2wek/y2g0GBQJdkFTKwpJZv3IWWp9TYqJ3lCIYzoWxWV pzc7i+m2Ha3HupVY0e/tOJPKsiJu+LnyH3LJ66WV/xCRDjhZ8N6RONl5 xQU= ;; Query time: 35 msec ;; SERVER: 212.247.7.228#53(212.247.7.228) ;; WHEN: Sun May 9 17:22:05 2010 ;; MSG SIZE rcvd: 994 The issue I have with this is, dig announces 9 additional section entries, while 3 A, 1 and 4 RRSIG, in my book sums up to 8. Without DNSSEC, it seems to be able to count correctly... # dig @ns.nic.se nic.se ns ; <<>> DiG 9.7.0-P1 <<>> @ns.nic.se nic.se ns ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4920 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;nic.se.IN NS ;; ANSWER SECTION: nic.se. 3600IN NS ns2.nic.se. nic.se. 3600IN NS ns.nic.se. nic.se. 3600IN NS ns3.nic.se. ;; ADDITIONAL SECTION: ns.nic.se. 3600IN A 212.247.7.228 ns.nic.se. 3600IN 2a00:801:f0:53::53 ns2.nic.se. 3600IN A 194.17.45.54 ns3.nic.se. 60 IN A 212.247.3.83 ;; Query time: 34 msec ;; SERVER: 212.247.7.228#53(212.247.7.228) ;; WHEN: Sun May 9 17:23:51 2010 ;; MSG SIZE rcvd: 153 Am I missing something? Or is this already reported? If so, what would be the correct channel? R. --Pj. Peter Janssen Technical Manager Join us in June! EURid hosts ICANNs 38th meeting in Brussels. Find out more at brussels38.icann.org. EURid Woluwelaan 150 1831 Diegem - Belgium TEL.: +32 (0) 2 401 2750 peter.jans...@eurid.eu http://www.eurid.eu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users