[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dnssec-updates text, include SOA in negative answers

To: Namedroppers <namedroppers@ops.ietf.org>
Subject: Re: dnssec-updates text, include SOA in negative answers
From: Edward Lewis <Ed.Lewis@neustar.biz>
Date: Wed, 28 Nov 2007 10:28:50 -0500
Cc: Edward Lewis <Ed.Lewis@neustar.biz>
In-reply-to: <474D7FF6.5030005@nlnetlabs.nl>
References: <474D5989.7000405@nlnetlabs.nl> <a06230900c3731f7bedc1@[192.168.1.101]> <474D7FF6.5030005@nlnetlabs.nl>

Title: Re: dnssec-updates text, include SOA in negative answers

At 3:49 PM +0100 11/28/07, W.C.A. Wijngaards wrote:

>Rfc2308 shows a collection of negative answers, and NS records can be
>present and absent in the authority section of negative answers.
>Basically, NS record for the zone you query (with or without SOA
>record), or NS record for the zone after a CNAME and nxdomain.

The problem with RFC 2308 is that it doesn't document the header bits.

There's one example of a negative answer with NS records in the authority section and no SOA accompanying them. That's for an NXDOMAIN only, and as section 2.2. starts:

"NODATA is indicated by an answer with the RCODE set to NOERROR and no

relevant answers in the answer section. The authority section will

contain an SOA record, or there will be no NS records there."

So we are back to NXDOMAIN situation. An NXDOMAIN can come from a cached answer (no AA). There are four examples given. Type 1 has SOA and NS, Type 2 has none of that. There is this quote in 2.1.1:

"Some resolvers treat a TYPE 1 NXDOMAIN response as a referral. To

alleviate this problem it is recommended that servers that are

authoritative for the NXDOMAIN response only send TYPE 2 NXDOMAIN

responses, that is the authority section contains a SOA record and no

NS records. If a non- authoritative server sends a type 1 NXDOMAIN

response to one of these old resolvers, the result will be an

unnecessary query to an authoritative server."

Type 3 has an empty Authority section.

Type 4 looks just like the NOERROR referral. What is said there? Hmmmm. In this case I don't find explanatory text. But I would conclude that an NXDOMAIN is not a referral - the message is saying "your destination does not exist, but here are some NS records." You'd be foolish to take these NS records as a referral "on the road to nowhere."

(Let me say my motivation is to resist the recommendation to add anything to the response, so I am looking hard to see if the addition of the SOA is a necessary evil.)

It would seem to me that instead of adding the SOA to the NS records there, we follow the Type 1 - Type 2 recommendation text and urge folks to just not include the NS set for the same reason cited there and in your problem statement.

So - would you consider instead a recommendation to not include NS records in a negative answer (as opposed to adding the SOA)?

>> If the NSEC records don't validate, what use is the response anyway? I

>> mean, if their is a security failure, why then use the response to see

>> if this is a referral or a negative answer?

>For RRSIG validation yes, but other NSEC checks depend on what you are
>trying to prove; wildcards, type missing, domain name error, DS types,
>child-vs-parent-side NSEC, and so on. These checks failing are not
>security failures in themselves, but become security failures depending

>on what you are trying to prove.

I don't agree - if the signature fails, the record (set) is garbage if you care about security. Well, I mean, if you get an NSEC* with a bad sig it is useless. If you get one with a good sig but then the bit map doesn't make sense, then I'd still guess it is garbage, spindulated (I made that word up) in some botched zone update/cache issue or maybe a calculated to confuse attack.

(Maybe I am missing the point here.)

>I don't know, but I want to validate it :-)

>You can have a resolver send its non-RD queries to a validating-cache,
>to make sure it is not led astray by bogus data? Now, I'm only trying to

>answer you, not saying this is likely to be useful.

I see your paranoia medication isn't working. ;)

DNSSEC doesn't guarantee that the data is correct, just that it came cleanly. So there will be many times you validate the wrong IP address. All DNSSEC does is make it possible to place blame on the poor zone admin who will probably be busy preparing a resume, in the old days, he would have been pointing a finger to the host admin. ;)

--

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar

Think glocally. Act confused.

Follow-Ups:
- Re: dnssec-updates text, include SOA in negative answers
  - From: Mark Andrews <Mark_Andrews@isc.org>
- Re: dnssec-updates text, include SOA in negative answers
  - From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>

References:
- dnssec-updates text, include SOA in negative answers
  - From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
- Re: dnssec-updates text, include SOA in negative answers
  - From: Edward Lewis <Ed.Lewis@neustar.biz>
- Re: dnssec-updates text, include SOA in negative answers
  - From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>

Prev by Date: Re: dnssec-updates text, include SOA in negative answers
Next by Date: Re: dnssec-updates text, include SOA in negative answers
Previous by thread: Re: dnssec-updates text, include SOA in negative answers
Next by thread: Re: dnssec-updates text, include SOA in negative answers
Index(es):
- Date
- Thread