Occasional SERVFAILs from "dig NS iq."
Chris Thompson
cet1 at cam.ac.uk
Tue Sep 24 16:16:31 UTC 2013
On Sep 24 2013, Tony Finch wrote:
>Chris Thompson <cet1 at cam.ac.uk> wrote:
>
>> I have noticed that I get occasional (fast) SERVFAIL responses from
>> "dig NS iq.", e.g.
>>
>> "iq" is partially signed, in the sense that some of its nameservers
>> deliver a signed version, and some an unsigned one, but I don't see
>> how that leads to the effect observed.
>
>It seems to happen when named gets a signed NS response then gets NODATA
>when it asks for the DNSKEY RRset. If it gets an unsigned NS response it
>is happy; if it gets signed NS and DNSKEY responses it is happy.
Yes, that seems to be right. But that's a bug, because absence of DNSKEY
records is not an error unless the zone is in the must-be-signed state.
BIND should go into "in that case I must prove the zone not required to
be signed" mode (top-down rather than bottom-up).
Quite a number of TLDs have been deploying DNSSEC in the same ultra-cautious
way as "iq" recently. I am surprised this bug hasn't drawn itself to our
attention before now. It surely can't have been there in the 2010 DURZ era,
when some root zone servers were serving (fake) signed versions and some
unsigned ones.
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list