[Cerowrt-devel] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014
Anders Kaseorg
andersk at mit.edu
Sat Oct 4 17:45:46 EDT 2014
On Fri, 3 Oct 2014, Anders Kaseorg wrote:
> > secure no DS means that the original unsigned answer should be
> > accepted, except that it shouldn't. There's no way to distinguish
> > between secure lack of DS because we've reached an unsigned branch of
> > the tree, and secure lack of DS because we're not at a zone cut,
> > except if we know where the zone cuts are, and we don't.
>
> Having just looked through RFC 5155 for clues: isn’t that the purpose of
> the NS type bit in the NSEC3 record? In this example, DS university
> would give an NSEC3 record with the NS bit clear. That signals that we
> should go down a level and query DS campus. In this case we find a
> signed DS there. But if we were to find an NSEC3 with the NS bit set,
> then we’d know that we’ve really found an unsigned zone and can stop
> going down.
Aha: and this is exactly the answer given at
http://tools.ietf.org/html/rfc6840#section-4.4 .
Anders
More information about the Cerowrt-devel
mailing list