<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Arial Narrow";
panose-1:2 11 6 6 2 2 2 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1524127348;
mso-list-type:hybrid;
mso-list-template-ids:504410360 470351889 470351897 470351899 470351887 470351897 470351899 470351887 470351897 470351899;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="2050" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-ZA link=blue vlink=purple>
<div class=WordSection1>
<p class=MsoNormal>Hello,<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Much attention has been given to DNSSEC – how it brings
security – the “chain-of-trust” – the root zone signed –
activities of tld’s to get signed - ...<br>
but we – I belong to an organisation in charge of a tld – should also
pay attention to the validating, client, side of DNSSEC.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>What I see in practice, but which might simply be “implementation”
of a name service,<o:p></o:p></p>
<p class=MsoNormal>is that a forwarding + validating name server,<o:p></o:p></p>
<p class=MsoNormal>that forwards to a caching name server which is <b>not aware</b>
of DNSSEC,<o:p></o:p></p>
<p class=MsoNormal><b>cannot resolve anything</b> : all responses for either
signed or unsigned domains return SERVFAIL !<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Packet sniffing and query logging of respective name servers
show that the forwarding name server<o:p></o:p></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='mso-list:Ignore'>1)<span style='font:7.0pt "Times New Roman"'>
</span></span><![endif]>Performs a first query, to which it receives a reply<o:p></o:p></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='mso-list:Ignore'>2)<span style='font:7.0pt "Times New Roman"'>
</span></span><![endif]>Performs a second query for the DS record of the domain.<br>
To which the caching, DNSSEC unaware, name server <b>always</b> replies with : “0
answers”.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Thereupon the reply to the initial client, of the forwarding
name server, is : SERVFAIL.<o:p></o:p></p>
<p class=MsoNormal>And this regardless of the fact that there are or are not DS
records available.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>The “problem” seems to be that the DNSSEC
unaware caching name server looks for the DS records in the wrong place :<br>
it queries the authoritative NS’s of the domain,<br>
(rather than the <b>parent domain</b> !)<o:p></o:p></p>
<p class=MsoNormal>Consequently, the “0 answers” reply comes with
the SOA record of the domain, *<b>not</b>* the SOA record of its parent.<o:p></o:p></p>
<p class=MsoNormal>I suppose the forwarding + validating name server then
concludes there is a problem, and fails towards its client.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>My questions to the community :<o:p></o:p></p>
<p class=MsoNormal>? is this a principal DNSSEC protocol error ?<br>
? is this specific behaviour of a name server implementation (Bind 9.7),
failing precise definition of how to behave in this case : “unexplored
fields” ?<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>While this gets sorted out, be careful when adding DNSSEC
validation to forwarding name servers :<o:p></o:p></p>
<p class=MsoNormal> only if the caching name server(s), to which queries
are forwarded, are DNSSEC aware themselves<o:p></o:p></p>
<p class=MsoNormal> will the combination “forwarding” + “validating”
be successful.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Comments welcome !<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Kind regards,<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:"Arial Narrow","sans-serif";
color:#595959'>Marc Lampo<o:p></o:p></span></p>
<p class=MsoNormal><i><span lang=EN-US style='font-size:10.0pt;color:black'>Security
Officer</span></i><span lang=EN-US style='font-size:10.5pt;font-family:"Arial Narrow","sans-serif";
color:#595959'><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:gray'> </span><span
lang=EN-US style='font-size:10.5pt;font-family:"Arial Narrow","sans-serif";
color:#595959'><o:p></o:p></span></p>
<p class=MsoNormal><i><span lang=EN-US style='font-size:10.5pt;font-family:
"Arial Narrow","sans-serif";color:#595959'> </span></i><span
style='font-size:10.5pt;font-family:"Arial Narrow","sans-serif";color:#595959'>EUR<i>id</i><o:p></o:p></span></p>
<p class=MsoNormal><i><span style='font-size:10.5pt;font-family:"Arial Narrow","sans-serif";
color:#595959'> </span></i><span style='font-size:10.5pt;
font-family:"Arial Narrow","sans-serif";color:#595959'>Woluwelaan
150 <o:p></o:p></span></p>
<p class=MsoNormal><i><span style='font-size:10.5pt;font-family:"Arial Narrow","sans-serif";
color:#595959'> </span></i><span lang=DE style='font-size:
10.5pt;font-family:"Arial Narrow","sans-serif";color:#595959'>1831 Diegem -
Belgium<o:p></o:p></span></p>
<p class=MsoNormal><i><span lang=DE style='font-size:10.5pt;font-family:"Arial Narrow","sans-serif";
color:#595959'> </span></i><span lang=DE style='font-size:
10.5pt;font-family:"Arial Narrow","sans-serif";color:#595959'>TEL.: +32 (0) 2
401 3030<o:p></o:p></span></p>
<p class=MsoNormal><span lang=DE style='font-size:10.5pt;font-family:"Arial Narrow","sans-serif";
color:#595959'> MOB.:+32 (0)476 984 391</span><span lang=DE
style='font-size:12.0pt;font-family:"Times New Roman","serif";color:gray'><o:p></o:p></span></p>
<p class=MsoNormal><span lang=DE style='font-size:10.5pt;font-family:"Arial Narrow","sans-serif";
color:#595959'> </span><span lang=NL-BE style='font-size:
10.5pt;font-family:"Arial Narrow","sans-serif";color:#595959'><a
href="mailto:christine.van.rillaer@eurid.eu"
title="blocked::mailto:mail@eurid.eu"><span lang=DE style='color:blue'>marc.lampo@eurid.eu</span></a></span><span
lang=NL-BE style='font-size:10.5pt;font-family:"Arial Narrow","sans-serif";
color:#595959'> </span><span lang=DE style='font-size:10.5pt;font-family:"Arial Narrow","sans-serif";
color:#595959'><o:p></o:p></span></p>
<p class=MsoNormal><span lang=DE style='font-size:10.5pt;font-family:"Arial Narrow","sans-serif";
color:#595959'> </span><span lang=NL-BE style='font-size:
10.5pt;font-family:"Arial Narrow","sans-serif";color:#595959'><a
href="http://www.eurid.eu/" title="blocked::http://www.eurid.eu/"><span
style='color:blue'>http://www.eurid.eu</span></a><o:p></o:p></span></p>
<p class=MsoNormal><i><span lang=NL-BE style='font-size:10.5pt;font-family:
"Arial Narrow","sans-serif";color:#595959'> </span></i><span
lang=NL-BE style='font-size:10.5pt;font-family:"Arial Narrow","sans-serif";
color:#595959'><o:p></o:p></span></p>
<p class=MsoNormal><b><span style='font-size:10.5pt;font-family:"Arial Narrow","sans-serif";
color:#595959'><img border=0 width=356 height=64 id="Picture_x0020_1"
src="cid:image001.jpg@01CB8004.9BEBD6A0"
alt="cid:image001.jpg@01C96CD5.54741F60"></span></b><b><span lang=NL-BE
style='font-size:10.5pt;font-family:"Arial Narrow","sans-serif";color:#595959'><o:p></o:p></span></b></p>
<p class=MsoNormal><b><span lang=NL-BE style='font-size:10.5pt;font-family:
"Arial Narrow","sans-serif";color:#595959'><o:p> </o:p></span></b></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:"Arial Narrow","sans-serif";
color:#595959'>Want a .eu web address in your own language? </span><span
lang=NL-BE style='font-size:10.5pt;font-family:"Arial Narrow","sans-serif";
color:#595959'><a href="http://www.eurid.eu/en/eu-domain-names/idns-eu"><span
lang=EN-US style='color:blue'>Find out how</span></a></span><span lang=EN-US
style='font-size:10.5pt;font-family:"Arial Narrow","sans-serif";color:#595959'>
so you don’t miss out!<o:p></o:p></span></p>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>