[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

dnssec-updates text, include SOA in negative answers

To: Namedroppers <namedroppers@ops.ietf.org>
Subject: dnssec-updates text, include SOA in negative answers
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Wed, 28 Nov 2007 13:05:29 +0100
Cc: Sam Weiler <weiler@tislabs.com>
User-agent: Thunderbird 2.0.0.9 (X11/20071115)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

While writing a validator, I encountered the following issue. I would
like to propose adding some small text to the dnssec-updates document to
clean this up.

[proposed text]

Include SOA in negative answers.

Servers that serve DNSSEC signed zones SHOULD include SOA records in the
authority section for negative answers (name error, no data). This
enables clients to distinguish referrals from negative answers when the
query did not set the RD bit, and validate accordingly.

For example, a client makes a query without RD bit to its upstream
caching server, and receives a reply from that cache with empty answer
section, NS record present, no SOA record, no DS record in the authority
section and maybe NSEC or NSEC3 records present in the authority
section, and possibly A records in the additional section. The presence
of the SOA record signals nodata instead of a referral. Trying to
determine the message status by attempting to use (any present) NSEC
records is error prone. The reason for the NSEC proof to fail may be a
security failure, and using that to determine message status conflates
security and message content.

[/proposed text]

You can leave out the 'For example' paragraph if you want, Sam; the
issue may be clear from the first.

I believe that current servers that serve DNSSEC all include SOA records
in the authority section; and therefore implementation is already
widespread. Simply trying to clean up the DNSSEC protocol by saying that
leaving out SOA records is not a good idea. (rfc 4034 and 4035 are
silent about including SOA records in negative answers, although the
examples show SOA records in the authority section).

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHTVmJkDLqNwOhpPgRAj0vAJ4w3IBv1gH6TkCFMoJoyvmNiGBNxACdEzx6
pRNrXTO1ICBiqU6EyU6gkak=
=N4+Q
-----END PGP SIGNATURE-----

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: dnssec-updates text, include SOA in negative answers
  - From: gson@araneus.fi (Andreas Gustafsson)
- Re: dnssec-updates text, include SOA in negative answers
  - From: Edward Lewis <Ed.Lewis@neustar.biz>

Prev by Date: Re: Last Call: draft-ietf-dnsext-2929bis (Domain Name System (DNS) IANA Considerations) to BCP
Next by Date: Re: dnssec-updates text, include SOA in negative answers
Previous by thread: Last Call: draft-ietf-dnsext-2929bis (Domain Name System (DNS) IANA Considerations) to BCP
Next by thread: Re: dnssec-updates text, include SOA in negative answers
Index(es):
- Date
- Thread