Hello, Just tried with Bind 9.7.2-P3 (in our course environment for our DNSSEC workshop). I can *not* confirm this behaviour there : 1 correct DS record, 1 DS record, correct in everything but the algorithm --> validating caching name servers nicely return answers with "AD" bit set.
All name servers in this environment are 9.7.2-P3, by the way. The correct DS was referring to algorithm 5, the wrong DS to algorithm 8 (the corresponding algorithm in the DNSKEY record was 5) Kind regards, Marc -----Original Message----- From: Stephane Bortzmeyer [mailto:bortzme...@nic.fr] Sent: 06 May 2011 03:40 PM To: bind-users@lists.isc.org Subject: [DNSSEC] Resolver behavior with broken DS records In an (involuntary) experiment under .FR, I discovered that the rule "at least one DS must match for a child zone to be authenticated" is wrong if a broken DS is present. In our case, the field Algorithm in the DS did not match the one in the DNSKEY. While there was another correct DS for the child zone, BIND 9.6 and 9.8 servfail. So, the incorrect DS made the child zone bogus. If there are DS and that one of them is dangling (going to an unexisting key) or unknown (new algorithm), BIND validates if there is at least one DS it can process. I won't discuss the legality of this behaviour (my reading of the RFC on this point is that a resolver can do what it wants) but I believe that the current BIND behaviour is: * inconsistent: BIND uses a "at least one DS" policy when there are dangling DS but a "all the DS" when there are broken DS. * dangerous: a simple mistake in one of the DS will make the zone bogus. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
