Re: [Cerowrt-devel] [Dnsmasq-discuss] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014

Development issues regarding the cerowrt test router project
 help / color / mirror / Atom feed

From: Phil Pennock <cerowrt-devel+phil@spodhuis.org>
To: Simon Kelley <simon@thekelleys.org.uk>
Cc: dnsmasq-discuss <Dnsmasq-discuss@lists.thekelleys.org.uk>,
	"cerowrt-devel@lists.bufferbloat.net"
	<cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] [Dnsmasq-discuss] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014
Date: Mon, 28 Apr 2014 19:24:59 -0400	[thread overview]
Message-ID: <20140428232459.GA55372@redoubt.spodhuis.org> (raw)
In-Reply-To: <535EACCB.7090104@thekelleys.org.uk>

On 2014-04-28 at 20:32 +0100, Simon Kelley wrote:
> On 28/04/14 19:56, Dave Taht wrote:
> > I see A and AAAA requests for for "ds.test-ipv6.com" that fail.
> 
> The root of this failure is that DS ds.test-ipv6.com is broken.
> 
>  <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 ds ds.test-ipv6.com

> The latest fix I made (when the SERVFAIL reply comes, try the next
> possible secure-nonexistent DS record at test-ipv6.com) works sometimes,
> but the query above is taking long enough to fail that sometimes the
> original requestor has timed out before it gets the answer and tries again.

Er, DS records are authoritative in the parent domain and are equivalent
to glue; they are not expected to exist below the zone cut.

This is why you'll get results from:

    $ dig -t ds spodhuis.org @a2.org.afilias-nst.info

but a NOERROR from:

    $ dig -t ds spodhuis.org @nsauth.spodhuis.org

An NS query for "ds.test-ipv6.com" gives "test-ipv6.com", so that is the
zone cut, so it's in the COM. zone that you should expect to find any DS
records for "test-ipv6.com" and there's no need for a DS for anything
below that unless there's also a zone cut, in which case there's a DS at
the delegation point.

RFC 4033:
----------------------------8< cut here >8------------------------------
3.1.  Data Origin Authentication and Data Integrity
[...]
   The Delegation Signer (DS) RR type simplifies some of the
   administrative tasks involved in signing delegations across
   organizational boundaries.  The DS RRset resides at a delegation
   point in a parent zone and indicates the public key(s) corresponding
   to the private key(s) used to self-sign the DNSKEY RRset at the
   delegated child zone's apex.  The administrator of the child zone, in
   turn, uses the private key(s) corresponding to one or more of the
   public keys in this DNSKEY RRset to sign the child zone's data.  The
   typical authentication chain is therefore
   DNSKEY->[DS->DNSKEY]*->RRset, where "*" denotes zero or more
   DS->DNSKEY subchains.  DNSSEC permits more complex authentication
   chains, such as additional layers of DNSKEY RRs signing other DNSKEY
   RRs within a zone.
----------------------------8< cut here >8------------------------------

next prev parent reply	other threads:[~2014-04-28 23:25 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-04-28 16:55 [Cerowrt-devel] " Jim Gettys
2014-04-28 17:03 ` Dave Taht
2014-04-28 18:37   ` Dave Taht
2014-04-28 18:56     ` Dave Taht
2014-04-28 19:32       ` [Cerowrt-devel] [Dnsmasq-discuss] " Simon Kelley
2014-04-28 19:45         ` Aaron Wood
2014-04-28 23:24         ` Phil Pennock [this message]
2014-04-29 13:22           ` Simon Kelley
2014-04-29 20:57             ` Phil Pennock
2014-04-30 17:26               ` Dave Taht
2014-05-01 18:37                 ` Simon Kelley
2014-05-01 20:26                   ` Rich Brown
2014-05-01 22:27                     ` Dave Taht
2014-05-02 14:30                       ` Sebastian Moeller
2014-05-01 18:35               ` Simon Kelley
2014-05-02 16:40                 ` James Cloos
2014-10-03  9:28             ` [Cerowrt-devel] " Anders Kaseorg
2014-10-03 17:28               ` Valdis.Kletnieks
2014-10-03 21:35                 ` Anders Kaseorg
2014-10-04 21:45               ` Anders Kaseorg
2015-01-08 16:34                 ` Simon Kelley
2015-01-08 17:44                   ` Dave Taht
2015-01-08 18:07                     ` Simon Kelley
2015-01-08 19:52                       ` Dave Taht
2015-01-09  8:52                         ` Dave Taht
2015-01-09 15:36                           ` Simon Kelley
2015-01-09 16:49                           ` Simon Kelley
2015-01-09 21:34                             ` Dave Taht
2015-01-10 15:37                               ` Simon Kelley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140428232459.GA55372@redoubt.spodhuis.org \
    --to=cerowrt-devel+phil@spodhuis.org \
    --cc=Dnsmasq-discuss@lists.thekelleys.org.uk \
    --cc=cerowrt-devel@lists.bufferbloat.net \
    --cc=simon@thekelleys.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox