On Wed, 18 Aug 2010, Casey Deccio wrote:
Using BIND 9.6.2-P2 and 9.7.1.P2 configured for DNSSEC validation with DLV I
experience the following issue. When I
attempt to resolve www.jobcorps.gov I get a SERVFAIL message. The
authoritative servers return an RRSIG covering the
A RR, but the resolver is unable to validate it because it cannot retrieve the
DNSKEYs. The servers are attempting to
send packets exceeding their PMTU and they apparently don't accept TCP
connections, which means that a resolver can't
get a complete response for DNSKEYs.
Despite the server misconfigurations, the delegation from .GOV is insecure, so
ultimately the result should return a
insecure data, rather than failure. Thoughts?
If the domain is in the DLV, then it is treated as having a secure entry
point just as if the parent had a DS record, and any missing DNSKEY's
is considered a downgrade attack to lure you into spoofed faked data.
Paul
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
