Maintained by: NLnet Labs

[Unbound-users] Should we really validate with a revoked TA

Stephan Lagerholm
Thu Aug 5 01:37:48 CEST 2010


DLV is was not used so it couldn't really be the problem.

Even if it would, the key in DLV (41992) is still active and correct.
The revoked key is 35655 (was 35524 before it got revoked if I do the
math correctly).

I say that the parser is wrong to accept a key with flag 385 at all.

/S
----------------------------------------------------------------------
Stephan Lagerholm
Senior DNS Architect, M.Sc. ,CISSP
Secure64 Software Corporation, www.secure64.com
Cell: 469-834-3940

> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Wednesday, August 04, 2010 5:23 PM
> To: Stephan Lagerholm
> Cc: unbound-users at unbound.net
> Subject: Re: [Unbound-users] Should we really validate with a revoked
TA
> 
> On Wed, 4 Aug 2010, Stephan Lagerholm wrote:
> 
> > Admittedly miss configured but unbound validates www.secure64.com
when a
> revoked DNSKEY is used as a trust anchor, see
> > attached unbound.conf.
> >
> >
> >
> > Isn't that a violation of 5011 section 2.1?
> >
> >  "Once the resolver sees the REVOKE bit, it MUST NOT use this key as
a
> trust anchor or for any other purpose"
> 
> I am not entirely sure how the unbound logic works. But it seems like
this
> might be happening
> because the trust anchor that is revoked (key tag 41992) comes in via
DLV.
> But yes, technically,
> this should be a ServFail.
> 
> I trust you will add logic to look up the DLV record before allowing
one
> to finish a KSK rollover :)
> 
> Paul