[dnssec-deployment] DNSSEC deployment hurdles
Mark Andrews
marka at isc.org
Sun Aug 30 21:33:18 EDT 2009
In message <list-17987256 at execdsl.com>, Paul Wouters writes:
> On Sun, 30 Aug 2009, bert hubert wrote:
>
> > It turns out that BIND, which is reputed to use 'do=1' queries, and
> > should thus expose these problems, actually drops EDNS (and with it
> > the do bit) on timeouts.
>
> I hope it is more subtle then that, because else bind would be vulnerable
> to a very easy bid-down attack from dnssec to non-dnssec.
If named is validating then unsigned answers are rejected if they
should be signed.
There are much easier ways to make named send plain DNS queries
than blocking all EDNS responses. A FORMERR / SERVFAIL response
will trigger a fallback to plain DNS. You still need to match the
qid and port to have the FORMERR / SERVFAIL response accepted.
> I assume it only does this when it is aware there is no signed parent or DLV
> or when dnssec validation has not been enabled through the configuration file.
> (though i think in the latter case it also no longer sets do=1)
Unless the QNAME matches a trush anchor's name, or you have explictly
stated that part of the namespace is secure, you can't know if the
answer to a particular query should be signed or not without rumaging
around in the cache and doing a partial validation looking for the
secure to insecure transition, if you have that information in the
cache in the first place due to asking for data at or below the
QNAME before. As the validator does that as part of the validation
process the resolver just looks at the responses it gets to its
queries and works off them.
> Paul
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here: <http://mail.shinkuro.com:8100/Lists/dnssec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the Dnssec-deployment
mailing list