[dnssec-deployment] some observations about .SE's DNSSEC

Mark Andrews Mark_Andrews at isc.org
Wed Sep 26 18:41:29 EDT 2007 

> This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
> --Apple-Mail-51--110710388
> Content-Transfer-Encoding: 7bit
> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
> 
> 
> On 26Sep 2007, at 9:32 AM, Mark Andrews wrote:
> 
> >
> >> On 26 sep 2007, at 00.12, <Mats.Dufberg at teliasonera.com> wrote:
> >>
> >>> Crappy or not, we have also discovered that Bind 9.4.1-P1 (which is
> >>> the
> >>> most recent version of Bind) does not follow the standards
> >>> correctly. It
> >>> returns the ad flag set even if the do flag was not set in the  
> >>> query.
> >>> And it was the ad flag that the broadband routers reacted against.
> >>> Bind
> >>> 9.3 does not seem to have that error.
> >>
> >> RFC 3655 (november 2003) states:
> >>
> >>   "The AD bit MUST only be set if DNSSEC records have been  
> >> requested via
> >>    the DO bit [RFC3225] and relevant SIG records are returned."
> >>
> >> so BIND 9.4 is obviously doing the wrong thing here.
> >
> > 	No.  It's just in a slight time warp :-)
> >
> > 	AD w/o DO was legal at one point.  This make those routers
> > 	broken as well.
> 
> Yep... they are broken as well. On the other hand firewalls and NAT  
> boxes are known not to be very strict with the  "receive" bit of the  
> robustness principle.
> 
> Let us assume for a moment that this needs fixing in order to help  
> the first serious DNSSEC deployment and not have that deployment die  
> a silent dead.  Then I think it is fair to ask: What is the cheapest  
> way to actually fix some of the brokenness and make this work again:  
> Upgrade a handful of DNSSEC enabled servers or try to roll out new  
> firmware to those little boxes at the customers?
> 
> This also seems an issue that needs documentation in draft-ietf- 
> dnsext-dnssec-bis-updates (as an implementation experience).
> 
> 
> --Olaf
> 
> -----------------------------------------------------------
> Olaf M. Kolkman
> NLnet Labs
> http://www.nlnetlabs.nl/

	Named has been brought into compliance with the lastest spec.
	However there is still the need to be able to send AD w/o all
	the rest of the DNSSEC records.  AD is there for clients that
	don't want to do full DNSSEC processing.

	As AD is only supposed to be used where you trust the server
	could we use AD itself to signal that we want AD to be set in
	the response when DO is not set.

	If (AD or DO) then set AD in response if approptiate.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the Dnssec-deployment mailing list