On Sep 24 2013, Tony Finch wrote:

Chris Thompson <c...@cam.ac.uk> wrote:

I have noticed that I get occasional (fast) SERVFAIL responses from
"dig NS iq.", e.g.

"iq" is partially signed, in the sense that some of its nameservers
deliver a signed version, and some an unsigned one, but I don't see
how that leads to the effect observed.

It seems to happen when named gets a signed NS response then gets NODATA
when it asks for the DNSKEY RRset. If it gets an unsigned NS response it
is happy; if it gets signed NS and DNSKEY responses it is happy.

Yes, that seems to be right. But that's a bug, because absence of DNSKEY
records is not an error unless the zone is in the must-be-signed state.
BIND should go into "in that case I must prove the zone not required to
be signed" mode (top-down rather than bottom-up).

Quite a number of TLDs have been deploying DNSSEC in the same ultra-cautious
way as "iq" recently. I am surprised this bug hasn't drawn itself to our
attention before now. It surely can't have been there in the 2010 DURZ era,
when some root zone servers were serving (fake) signed versions and some
unsigned ones.

--
Chris Thompson
Email: c...@cam.ac.uk
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to