[Dnssec-deployment] Fun and sun with DNSSEC in Honduras

Matthew Pounsett mpounsett at afilias.info
Wed Jun 22 23:16:10 EDT 2011

On Wed, Jun 22, 2011 at 10:35 PM, Bill Owens <owens at nysernet.org> wrote:

> Hmm, you're saying that the actual zone for hn contains no NS records for
> org.hn, but that the setup worked anyway because the same servers were
> authoritative for both hn and org.hn, and they served the child NS
> records? I just tried setting that up with BIND, and it does indeed work, at
> least with a non-validating resolver. I don't think I'll make a habit of it
> though ;)

That's right.  Inexperienced DNS admins have been accidentally making use of
that feature of the resolution algorithms forever.  The algorithm causes the
auth server to answer from the most closely matching zone it has to the
query name.  The fact that it breaks once you sign the zones in question is
a surprise to some people, I'm sure.

> So you're saying that this is the opposite of what I was thinking. The
> problem isn't that my validating resolver is *not* getting NSEC3 records for
> org.hn from some of the auth servers; rather, it is unhappy about
> *getting* NSEC3 records that indicate there are no RRs for org.hn. Which
> seems. . . really odd on its own, because how would the auth server know to
> generate an NSEC3 for org.hn when there are no RRsets for org.hn in the
> zone? And yet, there it is:

That's exactly what NSEC3 is... it indicates the absence of the requested
records.  The authoritative server knows to generate NSEC3 records because
there are no NS records (or any records at all) for org.hn. in the hn. zone.
 What's probably confusing is that, because of the 'most closely matching
zone' rule, sometimes your manual tests get you an answer from hn., which is
signed and generates NSEC3 records, and sometimes get you an answer from
org.hn., which is not signed and therefore has no NSEC3.  Which you get
depends on the query you send, and which DNS implementation you happen to
get your answer from.

But now that you've answered this one, I don't suppose you'd like to take a
> look at my theories about what's going on with .me? ;)

I don't believe I've seen that, but I'll go have a look at list history.
 Perhaps I missed it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20110622/fce53664/attachment.html 

More information about the Dnssec-deployment mailing list