[prev in list] [next in list] [prev in thread] [next in thread]
List: dns-operations
Subject: [dns-operations] unbound-bind chain causing validation failures on synthesized records
From: ajs () anvilwalrusden ! com (Andrew Sullivan)
Date: 2012-07-10 11:21:29
Message-ID: 20120710112129.GD79014 () mail ! yitter ! info
[Download RAW message or body]
On Tue, Jul 10, 2012 at 10:21:59AM +1000, Mark Andrews wrote:
> CD=1 in Section 5.9 of draft-ietf-dnsext-dnssec-bis-updates. Making
> CD=0 queries forces the recursive server to try multiple authoritative
> servers until it gets a answer which validates or it exhausts the
> available authoritative servers and retries.
I think your analysis shows that there is a possible issue here, but
it seems to me this could be corrected just as well if the validating
recursive server validates anyway on CD=1, and tries an additional
authoritative server until it gets the answer that validates; however,
if it exhausts them and can't validate, then instead of failing it
passes on the answer it got. (As an optimization for speed: it passes
on the first answer it got, whatever the validation state, but then
proceeds with its own validation attempts before filling its cache.)
As near as I can tell, this way of proceeding is still perfectly
compliant. CD=1 can't override local policy at the recursive
resolver; it can only direct the server about how to respond in case
of validation failure.
Best,
A
--
Andrew Sullivan
ajs at anvilwalrusden.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic