[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dnssec-updates text, include SOA in negative answers

To: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: Re: dnssec-updates text, include SOA in negative answers
From: Mark Andrews <Mark_Andrews@isc.org>
Date: Thu, 29 Nov 2007 04:49:21 +1100
Cc: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>, Namedroppers <namedroppers@ops.ietf.org>, Sam Weiler <weiler@tislabs.com>
In-reply-to: Your message of "Wed, 28 Nov 2007 08:49:06 CDT." <a06230900c3731f7bedc1@[192.168.1.101]>

	See RFC 2308

> At 1:05 PM +0100 11/28/07, W.C.A. Wijngaards wrote:
> 
> >Include SOA in negative answers.
> >
> >Servers that serve DNSSEC signed zones SHOULD include SOA records in the
> >authority section for negative answers (name error, no data). This
> >enables clients to distinguish referrals from negative answers when the
> >query did not set the RD bit, and validate accordingly.
> 
> Is that necessary?
> 
> If the negative answer is coming from an authoritative server, the AA 
> bit will be on for a negative answer and off for a referral.  OTOH, 
> the AA bit is not covered by a DNSSEC [rfc 4034etal] protection.
> 
> But I am less certain about this in responses from cache (in which 
> the AA bit is never set).
> 
> (Ergo, I think the "for example" is needed to remind folks that this 
> is a cache issue.)
> 
> >For example, a client makes a query without RD bit to its upstream
> >caching server, and receives a reply from that cache with empty answer
> >section, NS record present, no SOA record, no DS record in the authority
> >section and maybe NSEC or NSEC3 records present in the authority
> >section, and possibly A records in the additional section. The presence
> >of the SOA record signals nodata instead of a referral. Trying to
> >determine the message status by attempting to use (any present) NSEC
> >records is error prone. The reason for the NSEC proof to fail may be a
> >security failure, and using that to determine message status conflates
> >security and message content.
> 
> Why would there be NS records in the authority section of a negative 
> answer?  (It's been a while for me, I am trying to recall negative 
> answers in the DNSSEC era.)
> 
> If the NSEC records don't validate, what use is the response anyway? 
> I mean, if their is a security failure, why then use the response to 
> see if this is a referral or a negative answer?
> 
> I'm also trying to figure out the normal use case of asking a cache a 
> non-RD bit query.  I do it only for debugging, so see why a SERVFAIL 
> was returned.  I can't really imagine any other reason to ask a cache 
> in a non-RD manner.
> 
> -- 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis                                                +1-571-434-5468
> NeuStar
> 
> Think glocally.  Act confused.
> 
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- Re: dnssec-updates text, include SOA in negative answers
  - From: Edward Lewis <Ed.Lewis@neustar.biz>

Prev by Date: Re: dnssec-updates text, include SOA in negative answers
Next by Date: Re: dnssec-updates text, include SOA in negative answers
Previous by thread: Re: dnssec-updates text, include SOA in negative answers
Next by thread: Re: dnssec-updates text, include SOA in negative answers
Index(es):
- Date
- Thread