forwarding + validating name server : protocol error or simply "unexplored fields" ?

Marc Lampo marc.lampo at eurid.eu
Tue Nov 9 11:08:46 UTC 2010 

Hello,

 

Much attention has been given to DNSSEC - how it brings security - the
"chain-of-trust" - the root zone signed - activities of tld's to get
signed - ...
but we - I belong to an organisation in charge of a tld - should also pay
attention to the validating, client, side of DNSSEC.

 

What I see in practice, but which might simply be "implementation" of a
name service,

is that a forwarding + validating name server,

that forwards to a caching name server which is not aware of DNSSEC,

cannot resolve anything : all responses for either signed or unsigned
domains return SERVFAIL !

 

Packet sniffing and query logging of respective name servers show that the
forwarding name server

1)      Performs a first query, to which it receives a reply

2)      Performs a second query for the DS record of the domain.
To which the caching, DNSSEC unaware, name server always replies with : "0
answers".

 

Thereupon the reply to the initial client, of the forwarding name server,
is : SERVFAIL.

And this regardless of the fact that there are or are not DS records
available.

 

The "problem" seems to be that the DNSSEC unaware caching name server
looks for the DS records in the wrong place :
 it queries the authoritative NS's of the domain,
 (rather than the parent domain !)

Consequently, the "0 answers" reply comes with the SOA record of the
domain, *not* the SOA record of its parent.

I suppose the forwarding + validating name server then concludes there is
a problem, and fails towards its client.

 

 

My questions to the community :

? is this a principal DNSSEC protocol error ?
? is this specific behaviour of a name server implementation (Bind 9.7),
failing precise definition of how to behave in this case : "unexplored
fields" ?

 

While this gets sorted out, be careful when adding DNSSEC validation to
forwarding name servers :

 only if the caching name server(s), to which queries are forwarded, are
DNSSEC aware themselves

 will the combination "forwarding" + "validating" be successful.

 

Comments welcome !

 

Kind regards,

 

 

Marc Lampo

Security Officer

 

    EURid

    Woluwelaan 150     

    1831 Diegem - Belgium

    TEL.: +32 (0) 2 401 3030

    MOB.:+32 (0)476 984 391

     <mailto:christine.van.rillaer at eurid.eu> marc.lampo at eurid.eu 

     <http://www.eurid.eu/> http://www.eurid.eu

    

cid:image001.jpg at 01C96CD5.54741F60

 

Want a .eu web address in your own language?
<http://www.eurid.eu/en/eu-domain-names/idns-eu> Find out how so you don't
miss out!

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101109/01459e99/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 5495 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101109/01459e99/attachment.jpg>

More information about the bind-users mailing list