[dnssec-deployment] some observations about .SE's DNSSEC

[Olaf M. Kolkman]

On 26Sep 2007, at 9:32 AM, Mark Andrews wrote:

>
>> On 26 sep 2007, at 00.12, <Mats.Dufberg at teliasonera.com> wrote:
>>
>>> Crappy or not, we have also discovered that Bind 9.4.1-P1 (which is
>>> the
>>> most recent version of Bind) does not follow the standards
>>> correctly. It
>>> returns the ad flag set even if the do flag was not set in the  
>>> query.
>>> And it was the ad flag that the broadband routers reacted against.
>>> Bind
>>> 9.3 does not seem to have that error.
>>
>> RFC 3655 (november 2003) states:
>>
>>   "The AD bit MUST only be set if DNSSEC records have been  
>> requested via
>>    the DO bit [RFC3225] and relevant SIG records are returned."
>>
>> so BIND 9.4 is obviously doing the wrong thing here.
>
> 	No.  It's just in a slight time warp :-)
>
> 	AD w/o DO was legal at one point.  This make those routers
> 	broken as well.

Yep... they are broken as well. On the other hand firewalls and NAT  
boxes are known not to be very strict with the  "receive" bit of the  
robustness principle.

Let us assume for a moment that this needs fixing in order to help  
the first serious DNSSEC deployment and not have that deployment die  
a silent dead.  Then I think it is fair to ask: What is the cheapest  
way to actually fix some of the brokenness and make this work again:  
Upgrade a handful of DNSSEC enabled servers or try to roll out new  
firmware to those little boxes at the customers?

This also seems an issue that needs documentation in draft-ietf- 
dnsext-dnssec-bis-updates (as an implementation experience).


--Olaf

-----------------------------------------------------------
Olaf M. Kolkman
NLnet Labs
http://www.nlnetlabs.nl/



-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 227 bytes
Desc: This is a digitally signed message part
Url : http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20070926/aaf8474d/attachment.bin