[Dnssec-deployment] Fun and sun with DNSSEC in Honduras

Casey Deccio casey at deccio.net
Wed Jun 22 19:37:06 EDT 2011


On Wed, Jun 22, 2011 at 3:17 PM, Bill Owens <owens at nysernet.org> wrote:

> Second, does it make any sense for the auth server to return an answer for
> "org.hn. DS" from within org.hn, when it's auth for both hn and org.hn? I
> tried to simulate this configuration (signed parent, unsigned child on the
> same server) and I can't make my server produce these kinds of results.
>
>
This is incorrect behavior; DS RRs only belong in the parent zone.
Interestingly, the responses are inconsistent.  When queried for com.hn/DS,
the following seem to consistently respond from the hn authority (parent)
and provide NSEC3 RRs and RRSIGs:
tld2.rds.org.hn.
tld1.rds.org.hn.

These consistently respond from the com.hn authority (child) and provide no
NSEC3 RRs (or RRSIGs):
b2.cctld.afilias-nst.org.
a2.cctld.afilias-nst.info.

And these three respond inconsistently, going back and forth:
d0.cctld.afilias-nst.org.
a0.cctld.afilias-nst.info.
c0.cctld.afilias-nst.info.

For example:

$ dig @c0.cctld.afilias-nst.info. com.hn. ds

; <<>> DiG 9.7.3 <<>> @c0.cctld.afilias-nst.info. com.hn. ds
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60758
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;com.hn.                IN    DS

;; AUTHORITY SECTION:
hn.            900    IN    SOA    a0.cctld.afilias-nst.info.
noc.afilias-nst.info. 2008078375 1800 900 604800 86400

;; Query time: 69 msec
;; SERVER: 199.254.61.1#53(199.254.61.1)
;; WHEN: Wed Jun 22 16:23:49 2011
;; MSG SIZE  rcvd: 89

$ dig @c0.cctld.afilias-nst.info. com.hn. ds

; <<>> DiG 9.7.3 <<>> @c0.cctld.afilias-nst.info. com.hn. ds
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32745
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;com.hn.                IN    DS

;; AUTHORITY SECTION:
com.hn.            900    IN    SOA    a0.cctld.afilias-nst.info.
noc.afilias-nst.info. 2008063921 1800 900 604800 86400

;; Query time: 68 msec
;; SERVER: 199.254.61.1#53(199.254.61.1)
;; WHEN: Wed Jun 22 16:23:50 2011
;; MSG SIZE  rcvd: 89

Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20110622/8748b65a/attachment.html 


More information about the Dnssec-deployment mailing list