[dns-operations] Bind 9.8.0 intermittent problem with non-recursive responses
marc.lampo at eurid.eu
Mon May 23 05:05:26 UTC 2011
Yes, this is a setup I tested (with Bind as name server).
You would be getting answers, not with the AD bit set.
From: Carlos Vicente [mailto:cvicente.lists at gmail.com]
Sent: 20 May 2011 07:53 PM
To: Marc Lampo
Cc: bind-users at lists.isc.org
Subject: Re: [dns-operations] Bind 9.8.0 intermittent problem with
So, if I understand you correctly, if I were to sign my authoritative
zone and my caching nameserver, which is "bogus" for this zone, is
dnssec enabled, and also validating, and no other validating
nameserver is querying this bogus nameserver, then it's OK?
On Thu, May 19, 2011 at 11:16 PM, Marc Lampo <marc.lampo at eurid.eu> wrote:
> Implementation specific, probably, but with Bind it's the authoritative
> part that wins !
> (assuming the caching name server is DNSSEC enabled, possibly even
> validating DNSSEC, then)
> If Bind is caching for all,
> but authoritative for some domains (I think this is called : "bogus for
> some domains"),
> a query for something in those domains where it is bogus,
> gets a reply with "AA" set.
> This regardless of the fact if the official/public domain has or has no
> DNSSEC information itself.
> --> so, the bogus name server will produce acceptable results
> (yes, we - the Internet community - has been doing this for years,
> make our caching name server bogus for our own public domains)
> But the problem is for "validating resolvers" (like validating
> name server),
> that use this name server :
> because the validating resolver asks for DS records,
> because the DS records are in the *parent* zone,
> the validating resolver gets DS records (for public, signed, domains)
> and will *insist* on replies it can validate (signed with correct key).
> If the "bogus" domain is not signed, that will fail ...
> (cfr http://www.eurid.eu/files/Insights_DNSSEC2.pdf,
> combine info on pages 15+16 (bogus NS) and 17+18 (forwarding NS)
> Kind regards,
> Marc Lampo
> Security Officer
More information about the bind-users