From: Phil Pennock <cerowrt-devel+phil@spodhuis.org>
To: Simon Kelley <simon@thekelleys.org.uk>
Cc: dnsmasq-discuss <Dnsmasq-discuss@lists.thekelleys.org.uk>,
"cerowrt-devel@lists.bufferbloat.net"
<cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] [Dnsmasq-discuss] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014
Date: Mon, 28 Apr 2014 19:24:59 -0400 [thread overview]
Message-ID: <20140428232459.GA55372@redoubt.spodhuis.org> (raw)
In-Reply-To: <535EACCB.7090104@thekelleys.org.uk>
On 2014-04-28 at 20:32 +0100, Simon Kelley wrote:
> On 28/04/14 19:56, Dave Taht wrote:
> > I see A and AAAA requests for for "ds.test-ipv6.com" that fail.
>
> The root of this failure is that DS ds.test-ipv6.com is broken.
>
> <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 ds ds.test-ipv6.com
> The latest fix I made (when the SERVFAIL reply comes, try the next
> possible secure-nonexistent DS record at test-ipv6.com) works sometimes,
> but the query above is taking long enough to fail that sometimes the
> original requestor has timed out before it gets the answer and tries again.
Er, DS records are authoritative in the parent domain and are equivalent
to glue; they are not expected to exist below the zone cut.
This is why you'll get results from:
$ dig -t ds spodhuis.org @a2.org.afilias-nst.info
but a NOERROR from:
$ dig -t ds spodhuis.org @nsauth.spodhuis.org
An NS query for "ds.test-ipv6.com" gives "test-ipv6.com", so that is the
zone cut, so it's in the COM. zone that you should expect to find any DS
records for "test-ipv6.com" and there's no need for a DS for anything
below that unless there's also a zone cut, in which case there's a DS at
the delegation point.
RFC 4033:
----------------------------8< cut here >8------------------------------
3.1. Data Origin Authentication and Data Integrity
[...]
The Delegation Signer (DS) RR type simplifies some of the
administrative tasks involved in signing delegations across
organizational boundaries. The DS RRset resides at a delegation
point in a parent zone and indicates the public key(s) corresponding
to the private key(s) used to self-sign the DNSKEY RRset at the
delegated child zone's apex. The administrator of the child zone, in
turn, uses the private key(s) corresponding to one or more of the
public keys in this DNSKEY RRset to sign the child zone's data. The
typical authentication chain is therefore
DNSKEY->[DS->DNSKEY]*->RRset, where "*" denotes zero or more
DS->DNSKEY subchains. DNSSEC permits more complex authentication
chains, such as additional layers of DNSKEY RRs signing other DNSKEY
RRs within a zone.
----------------------------8< cut here >8------------------------------
next prev parent reply other threads:[~2014-04-28 23:25 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-28 16:55 [Cerowrt-devel] " Jim Gettys
2014-04-28 17:03 ` Dave Taht
2014-04-28 18:37 ` Dave Taht
2014-04-28 18:56 ` Dave Taht
2014-04-28 19:32 ` [Cerowrt-devel] [Dnsmasq-discuss] " Simon Kelley
2014-04-28 19:45 ` Aaron Wood
2014-04-28 23:24 ` Phil Pennock [this message]
2014-04-29 13:22 ` Simon Kelley
2014-04-29 20:57 ` Phil Pennock
2014-04-30 17:26 ` Dave Taht
2014-05-01 18:37 ` Simon Kelley
2014-05-01 20:26 ` Rich Brown
2014-05-01 22:27 ` Dave Taht
2014-05-02 14:30 ` Sebastian Moeller
2014-05-01 18:35 ` Simon Kelley
2014-05-02 16:40 ` James Cloos
2014-10-03 9:28 ` [Cerowrt-devel] " Anders Kaseorg
2014-10-03 17:28 ` Valdis.Kletnieks
2014-10-03 21:35 ` Anders Kaseorg
2014-10-04 21:45 ` Anders Kaseorg
2015-01-08 16:34 ` Simon Kelley
2015-01-08 17:44 ` Dave Taht
2015-01-08 18:07 ` Simon Kelley
2015-01-08 19:52 ` Dave Taht
2015-01-09 8:52 ` Dave Taht
2015-01-09 15:36 ` Simon Kelley
2015-01-09 16:49 ` Simon Kelley
2015-01-09 21:34 ` Dave Taht
2015-01-10 15:37 ` Simon Kelley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140428232459.GA55372@redoubt.spodhuis.org \
--to=cerowrt-devel+phil@spodhuis.org \
--cc=Dnsmasq-discuss@lists.thekelleys.org.uk \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=simon@thekelleys.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox