[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dns-operations
Subject:    [dns-operations] unbound-bind chain causing validation failures on synthesized records
From:       ajs () anvilwalrusden ! com (Andrew Sullivan)
Date:       2012-07-10 11:21:29
Message-ID: 20120710112129.GD79014 () mail ! yitter ! info
[Download RAW message or body]

On Tue, Jul 10, 2012 at 10:21:59AM +1000, Mark Andrews wrote:

> CD=1 in Section 5.9 of draft-ietf-dnsext-dnssec-bis-updates.  Making
> CD=0 queries forces the recursive server to try multiple authoritative
> servers until it gets a answer which validates or it exhausts the
> available authoritative servers and retries.

I think your analysis shows that there is a possible issue here, but
it seems to me this could be corrected just as well if the validating
recursive server validates anyway on CD=1, and tries an additional
authoritative server until it gets the answer that validates; however,
if it exhausts them and can't validate, then instead of failing it
passes on the answer it got.  (As an optimization for speed: it passes
on the first answer it got, whatever the validation state, but then
proceeds with its own validation attempts before filling its cache.)
As near as I can tell, this way of proceeding is still perfectly
compliant.  CD=1 can't override local policy at the recursive
resolver; it can only direct the server about how to respond in case
of validation failure.

Best,

A

-- 
Andrew Sullivan
ajs at anvilwalrusden.com

[prev in list] [next in list] [prev in thread] [next in thread]