Insecurity proof failed resolving newsletter.postbank.de - but why?
Graham Clinch
g.clinch at lancaster.ac.uk
Mon Jan 20 17:46:30 UTC 2014
Hi List (& Chris & Tony),
> What *does* matter is that the NSEC3 "proves" that there are no NS
> records as well (as no DS ones) for newsletter.postbank.de (despite
> the fact that the NS records are included in the referral). Note the
> absence of opt-out in the NSEC3.
Thanks for the replies - and noticing the missing 'NS'!
From my rather brain-busting afternoon reading, I believe this
situation is covered by section 4.4 of RFC 6840, which requires a
validator to ensure the NS type bit is set for an insecure delegation's
NSEC(3) (or that it's covered by opt-out, but as Chris pointed out, that
doesn't seem to be the case here).
I've left feedback for the dnsviz maintainer in the hopes that this case
can be picked up in future.
Graham
--
Graham Clinch
Systems Programmer,
Lancaster University
More information about the bind-users
mailing list