Hello,
Much attention has been given to DNSSEC - how it brings security - the
"chain-of-trust" - the root zone signed - activities of tld's to get
signed - ...
but we - I belong to an organisation in charge of a tld - should also pay
attention to the validating, client, side of DNSSEC.
What I see in practice, but which might simply be "implementation" of a
name service,
is that a forwarding + validating name server,
that forwards to a caching name server which is not aware of DNSSEC,
cannot resolve anything : all responses for either signed or unsigned
domains return SERVFAIL !
Packet sniffing and query logging of respective name servers show that the
forwarding name server
1) Performs a first query, to which it receives a reply
2) Performs a second query for the DS record of the domain.
To which the caching, DNSSEC unaware, name server always replies with : "0
answers".
Thereupon the reply to the initial client, of the forwarding name server,
is : SERVFAIL.
And this regardless of the fact that there are or are not DS records
available.
The "problem" seems to be that the DNSSEC unaware caching name server
looks for the DS records in the wrong place :
it queries the authoritative NS's of the domain,
(rather than the parent domain !)
Consequently, the "0 answers" reply comes with the SOA record of the
domain, *not* the SOA record of its parent.
I suppose the forwarding + validating name server then concludes there is
a problem, and fails towards its client.
My questions to the community :
? is this a principal DNSSEC protocol error ?
? is this specific behaviour of a name server implementation (Bind 9.7),
failing precise definition of how to behave in this case : "unexplored
fields" ?
While this gets sorted out, be careful when adding DNSSEC validation to
forwarding name servers :
only if the caching name server(s), to which queries are forwarded, are
DNSSEC aware themselves
will the combination "forwarding" + "validating" be successful.
Comments welcome !
Kind regards,
Marc Lampo
Security Officer
EURid
Woluwelaan 150
1831 Diegem - Belgium
TEL.: +32 (0) 2 401 3030
MOB.:+32 (0)476 984 391
<mailto:christine.van.rill...@eurid.eu> marc.la...@eurid.eu
<http://www.eurid.eu/> http://www.eurid.eu
cid:image001.jpg@01C96CD5.54741F60
Want a .eu web address in your own language?
<http://www.eurid.eu/en/eu-domain-names/idns-eu> Find out how so you don't
miss out!
<<image001.jpg>>
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
