On 20 Jan 2014, at 16:29, Stephane Bortzmeyer <[email protected]> wrote:
> On Mon, Jan 20, 2014 at 04:24:53PM +0000, > ? Roy Arends <[email protected]> wrote > a message of 121 lines which said: > >> I don’t understand the problem. Do you expect nic.red to be >> dnssec-signed? > > Not at all. I expect its non-signature to be validated, but it isn’t. Ahhhh, gotcha. The problem is indeed the absence of type NS in the type bit maps, as you (and Peter van Dijk) showed in your previous mail. According to RFC5155: 8.9. Validating Referrals to Unsigned Subzones The delegation name in a referral is the owner name of the NS RRSet present in the authority section of the referral response. If there is an NSEC3 RR present in the response that matches the delegation name, then the validator MUST ensure that the NS bit is set and that the DS bit is not set in the Type Bit Maps field of the NSEC3 RR. “Must ensure that the NS bit is set and that the DS bit is not set”. Good catch. Since NS bit wasn’t set in the NSEC3 record… Roy > > > % dig SOA nic.red > > ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> SOA nic.red > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54620 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;nic.red. IN SOA > > ;; Query time: 712 msec > ;; SERVER: ::1#53(::1) > ;; WHEN: Mon Jan 20 17:29:20 2014 > ;; MSG SIZE rcvd: 36 >
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
