Mats Dufberg wrote on 2021-12-09 09:16:
...
;; ANSWER SECTION:
x.lindforslaw.se.3600 IN A 194.9.94.86
x.lindforslaw.se.3600 IN A 194.9.94.85
x.lindforslaw.se.3600 IN RRSIG A 8 2 3600 (...)
When data comes from a signed zone, then if the resolver can validate
the response, it should set the AD flag, else return a SERVFAIL. Does
anyone disagree? Does anyone have an explanation to the behavior?
...
the response seen from that authority via dig +trace +dnssec is "odd".
x.lindforslaw.se. 3600 IN A 194.9.94.85
x.lindforslaw.se. 3600 IN RRSIG A 8 2 3600 ...
x.lindforslaw.se. 3600 IN A 194.9.94.86
2c7045fto8aflnjrb560cdu1m30p5re0.lindforslaw.se. 3600 IN NSEC3 1 1 1 AB ...
2c7045fto8aflnjrb560cdu1m30p5re0.lindforslaw.se. 3600 IN RRSIG NSEC3 8 3 3600
...
;; Received 753 bytes from 93.188.0.20#53(ns1.loopia.se) in 156 ms
i can't easily tell whether that RRSIG covers both A records, but its
placement in the response message immediately following the first of the
two A records is suspicious. with qtype ANY this odd placement does not
occur, but with qtype A it does.
the BIND9 resolver in my home does the same (i set DO, it doesn't set
AD, and the rcode is NOERROR.) this seems wrong, though if gdns does the
same thing, it may reflect a loophole in the specification rather than a
bug.
vixie
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
