[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dnssec-updates text, include SOA in negative answers

To: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Subject: Re: dnssec-updates text, include SOA in negative answers
From: Edward Lewis <Ed.Lewis@neustar.biz>
Date: Wed, 28 Nov 2007 08:49:06 -0500
Cc: Namedroppers <namedroppers@ops.ietf.org>, Sam Weiler <weiler@tislabs.com>
In-reply-to: <474D5989.7000405@nlnetlabs.nl>
References: <474D5989.7000405@nlnetlabs.nl>

At 1:05 PM +0100 11/28/07, W.C.A. Wijngaards wrote:

Include SOA in negative answers.

Servers that serve DNSSEC signed zones SHOULD include SOA records in the
authority section for negative answers (name error, no data). This
enables clients to distinguish referrals from negative answers when the
query did not set the RD bit, and validate accordingly.


Is that necessary?

If the negative answer is coming from an authoritative server, the AAbit will be on for a negative answer and off for a referral. OTOH,the AA bit is not covered by a DNSSEC [rfc 4034etal] protection.

But I am less certain about this in responses from cache (in whichthe AA bit is never set).

(Ergo, I think the "for example" is needed to remind folks that thisis a cache issue.)

For example, a client makes a query without RD bit to its upstream
caching server, and receives a reply from that cache with empty answer
section, NS record present, no SOA record, no DS record in the authority
section and maybe NSEC or NSEC3 records present in the authority
section, and possibly A records in the additional section. The presence
of the SOA record signals nodata instead of a referral. Trying to
determine the message status by attempting to use (any present) NSEC
records is error prone. The reason for the NSEC proof to fail may be a
security failure, and using that to determine message status conflates
security and message content.

Why would there be NS records in the authority section of a negativeanswer? (It's been a while for me, I am trying to recall negativeanswers in the DNSSEC era.)

If the NSEC records don't validate, what use is the response anyway?I mean, if their is a security failure, why then use the response tosee if this is a referral or a negative answer?

I'm also trying to figure out the normal use case of asking a cache anon-RD bit query. I do it only for debugging, so see why a SERVFAILwas returned. I can't really imagine any other reason to ask a cachein a non-RD manner.


--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Think glocally.  Act confused.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: dnssec-updates text, include SOA in negative answers
  - From: Mark Andrews <Mark_Andrews@isc.org>
- Re: dnssec-updates text, include SOA in negative answers
  - From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>

References:
- dnssec-updates text, include SOA in negative answers
  - From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>

Prev by Date: dnssec-updates text, include SOA in negative answers
Next by Date: Re: dnssec-updates text, include SOA in negative answers
Previous by thread: dnssec-updates text, include SOA in negative answers
Next by thread: Re: dnssec-updates text, include SOA in negative answers
Index(es):
- Date
- Thread