Mark Andrews writes:
>
> In message <02d001cb93f5$513ca2b0$f3b5e8...@janssen@eurid.eu>, "Peter Janssen
> "
> writes:
> > When a validating resolver queries the parent of a zone for the DS
> > record(s),
> > and the (child) zone is NOT signed, the response contains no answer
> > but it does contain NSEC (NSEC3) record(s) in the authority section
> > together with corresponding RRSIG records (parent zone is signed).
> > Would it be considered ok, harmfull, not allowed, (any other word)
> > to include in that answer the NS RRSET for the child zone
> > (obviously without any RRSIG)?
> >
> > Against RFC? Not specified?
> > Would it break resolvers? Any or all implementations?
> >
> > What do you think?
>
> The server is broken. The DS records are part of the parent zone
> and the authority section should reflect that. DNSSEC unaware parent
> servers return referrals to the child zone. A resolver see such a
> referral is likely to just drop the response and move on to the next
> server.
>
> I suspect you are asking this because of x.dns.be's answers. Note
> the anwer is also missing the SOA record required for negative caching
> (RFC 2308).
>
> Mark
It helps if I have the right type in the question.
; <<>> DiG 9.6.0-APPLE-P2 <<>> foo.be +dnssec @x.dns.be +norec ds
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37780
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;foo.be.IN DS
;; AUTHORITY SECTION:
foo.be. 86400 IN NS ns6.gandi.net.
foo.be. 86400 IN NS ka.quuxlabs.com.
ba141snrnoe1rc9mddgrest23g657rir.be. 600 IN NSEC3 1 1 5 1A4E9B6C
BB7ONI6L9S8J5E3K6HUQ7C41J1AN85CR NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
ba141snrnoe1rc9mddgrest23g657rir.be. 600 IN RRSIG NSEC3 8 2 600 20101207140244
20101130135115 61344 be.
ZzvHV36wtbQ9woSfpc6nltz+tPc9GStoiEj4Fux+w70xkroPgjCtXhoY
jC1uErBEAIKVoMKijb4TbFkssppxTZPvsqqYO3nE6ANWm85pHpP/q9VI
eMk8RKcopptowjT9opikpvOJnOxlq3zTWBBoUjpyc6ZhJAPun3RPbQg5 Lfw=
040gpts32ds6q6unjgf8eh7bpal1m1ik.be. 600 IN NSEC3 1 1 5 1A4E9B6C
06JFHM0ATMQQJ2C08HOFHCO313VOSEEG NS DS RRSIG
040gpts32ds6q6unjgf8eh7bpal1m1ik.be. 600 IN RRSIG NSEC3 8 2 600 20101207152009
20101130151117 61344 be.
Rk1cwdoDfSo99pNPyBzducYv3CRa4qh3fpQmJifDWCxnR3WIAElwaqrV
dh9czL06jPBBGFTJLzSYs+jbxmrt/iK3EE7E/0Z+AJiZTMBhO+LOY2YM
U2sU9SX7/cZvtKvIN73/HI1VegcNrDFCqrJvU9zsaUmDwynLGqolzWBV tGI=
;; Query time: 483 msec
;; SERVER: 2001:678:4::a#53(2001:678:4::a)
;; WHEN: Sun Dec 5 09:06:10 2010
;; MSG SIZE rcvd: 620
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> foo.be +dnssec @x.dns.be +norec
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40730
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;foo.be. IN A
>
> ;; AUTHORITY SECTION:
> foo.be. 86400 IN NS ns6.gandi.net.
> foo.be. 86400 IN NS ka.quuxlabs.com.
> ba141snrnoe1rc9mddgrest23g657rir.be. 600 IN NSEC3 1 1 5 1A4E9B6C BB7ONI6L9S8J
> 5E3K6HUQ7C41J1AN85CR NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
> ba141snrnoe1rc9mddgrest23g657rir.be. 600 IN RRSIG NSEC3 8 2 600 2010120714024
> 4 20101130135115 61344 be. ZzvHV36wtbQ9woSfpc6nltz+tPc9GStoiEj4Fux+w70xkroPgj
> CtXhoY jC1uErBEAIKVoMKijb4TbFkssppxTZPvsqqYO3nE6ANWm85pHpP/q9VI eMk8RKcopptow
> jT9opikpvOJnOxlq3zTWBBoUjpyc6ZhJAPun3RPbQg5 Lfw=
> 040gpts32ds6q6unjgf8eh7bpal1m1ik.be. 600 IN NSEC3 1 1 5 1A4E9B6C 06JFHM0ATMQQ
> J2C08HOFHCO313VOSEEG NS DS RRSIG
> 040gpts32ds6q6unjgf8eh7bpal1m1ik.be. 600 IN RRSIG NSEC3 8 2 600 2010120715200
> 9 20101130151117 61344 be. Rk1cwdoDfSo99pNPyBzducYv3CRa4qh3fpQmJifDWCxnR3WIAE
> lwaqrV dh9czL06jPBBGFTJLzSYs+jbxmrt/iK3EE7E/0Z+AJiZTMBhO+LOY2YM U2sU9SX7/cZvt
> KvIN73/HI1VegcNrDFCqrJvU9zsaUmDwynLGqolzWBV tGI=
>
> ;; Query time: 483 msec
> ;; SERVER: 2001:678:4::a#53(2001:678:4::a)
> ;; WHEN: Sun Dec 5 09:00:21 2010
> ;; MSG SIZE rcvd: 620
>
> > Thanks.
> >
> > --Pj.
> > =A0=A0=A0 =
> >
> >
> >
> >
> >
> >
> >
> > Register your .eu domain name and win an iPod touch this X-Mas
> > http://www.winwith.eu
> > ___
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users