[dns-operations] Bind 9.8.0 intermittent problem with non-recursive responses

Marc Lampo marc.lampo at eurid.eu
Fri May 20 06:16:26 UTC 2011

Implementation specific, probably, but with Bind it's the authoritative
part that wins !

(assuming the caching name server is DNSSEC enabled, possibly even
validating DNSSEC, then)

If Bind is caching for all,
but authoritative for some domains (I think this is called : "bogus for
some domains"),
a query for something in those domains where it is bogus,
gets a reply with "AA" set.
This regardless of the fact if the official/public domain has or has no
DNSSEC information itself.
--> so, the bogus name server will produce acceptable results
    (yes, we - the Internet community - has been doing this for years,
     make our caching name server bogus for our own public domains)

But the problem is for "validating resolvers" (like validating forwarding
name server),
that use this name server :
because the validating resolver asks for DS records,
because the DS records are in the *parent* zone,
the validating resolver gets DS records (for public, signed, domains)
and will *insist* on replies it can validate (signed with correct key).
If the "bogus" domain is not signed, that will fail ...

(cfr http://www.eurid.eu/files/Insights_DNSSEC2.pdf,
 combine info on pages 15+16 (bogus NS) and 17+18 (forwarding NS)

Kind regards,

Marc Lampo
Security Officer


-----Original Message-----
From: Matthew Pounsett [mailto:matt at conundrum.com] 
Sent: 20 May 2011 06:49 AM
To: Carlos Vicente
Cc: bind-users at lists.isc.org
Subject: Re: [dns-operations] Bind 9.8.0 intermittent problem with
non-recursive responses

On 2011-05-20, at 00:35, Carlos Vicente wrote:

> That's news to me.  What's the failure mode? Does the server return
SERVFAIL, or does it not set the AD flag, or...?

It's another undefined condition in the RFCs, and so the outcome is
implementation specific.  I believe in the case of BIND the authoritative
algorithm wins out, and so you get RRSIGs and no AD flag.  I haven't
tested this one out personally, but I vaguely recall the problem coming up
on one of the DNS operations lists several months ago, so someone else may
have a more detailed answer.

More information about the bind-users mailing list