Maintained by: NLnet Labs

[Unbound-users] [DNSSEC] Resolver behavior with broken DS records

Stephane Bortzmeyer
Fri May 6 16:09:02 CEST 2011


In an (involuntary) experiment under .FR, I discovered that the rule
"at least one DS must match for a child zone to be authenticated" is
wrong if a broken DS is present. In our case, the field Algorithm in
the DS did not match the one in the DNSKEY. While there was another
correct DS for the child zone, Unbound 1.4.6 servfails. So, the
incorrect DS made the child zone bogus.

If there are DS and that one of them is dangling (going to an
unexisting key) or unknown (new algorithm), Unbound validates if there
is at least one DS it can process.

I won't discuss the legality of this behaviour (my reading of the RFC
on this point is that a resolver can do what it wants) but I believe
that the current Unbound behaviour is:

* inconsistent: Unbound uses a "at least one DS" policy when there are
dangling DS but a "all the DS" when there are broken DS.

* dangerous: a simple mistake in one of the DS will make the zone
bogus.