DS record in child zone
Mark Andrews
marka at isc.org
Mon Jan 31 11:34:19 UTC 2011
In message <4D4693CB.60105 at dialtelecom.cz>, "ryslink at dialtelecom.cz" writes:
> Hello, we have a DNS resolver running the latest 9.7 bind version, and
> there is a problem with several zones from these authoritative servers
> (frantovo.cz is just and example, the problem prevails in all signed
> zones from these authoritative servers):
>
> frantovo.cz. 3111 IN NS ns.forpsi.net.
> frantovo.cz. 3111 IN NS ns.forpsi.cz.
> frantovo.cz. 3111 IN NS ns.forpsi.it.
>
> Our resolver logis this:
>
> 31-Jan-2011 11:45:30.837 dnssec: debug 3: validating @0xd69c000:
> frantovo.cz NS: starting
> 31-Jan-2011 11:45:30.837 dnssec: debug 3: validating @0xd69c000:
> frantovo.cz NS: attempting insecurity proof
> 31-Jan-2011 11:45:30.837 dnssec: debug 3: validating @0xd69c000:
> frantovo.cz NS: checking existence of DS at 'cz'
> 31-Jan-2011 11:45:30.837 dnssec: debug 3: validating @0xd69c000:
> frantovo.cz NS: checking existence of DS at 'frantovo.cz'
> 31-Jan-2011 11:45:30.837 dnssec: debug 3: validating @0xd69c000:
> frantovo.cz NS: insecurity proof failed
> 31-Jan-2011 11:45:30.837 dnssec: info: validating @0xd69c000:
> frantovo.cz NS: got insecure response; parent indicates it should be secure
>
>
> The problem arises from the fact that all these servers fail to respond
> to queries on DS record for their zones:
>
> # dig @ns.forpsi.cz frantovo.cz ds
>
> ; <<>> DiG 9.7.2-P2 <<>> @ns.forpsi.cz frantovo.cz ds
> ; (1 server found)
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>
> Which is strange, because according to RFCs, the DS record for a given
> zone is required only in the parent zone, not the child zone itself.
> Does BIND query for the existence of a DS record in the child zone, and
> if so, why? Or is the cause of the problem different?
What makes you think named asked those servers? DS at 'frantovo.cz' will
be asked to the parent (cz) zone.
> Any advice would be welcome, thanks in advance.
>
> Best Regards
> Daniel Ryslink
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list