Maintained by: NLnet Labs

[Unbound-users] [DNSSEC] Resolver behavior with broken DS records

W.C.A. Wijngaards
Mon May 9 12:27:38 CEST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/07/2011 10:13 AM, W.C.A. Wijngaards wrote:
> On 05/06/2011 04:09 PM, Stephane Bortzmeyer wrote:
>> In an (involuntary) experiment under .FR, I discovered that the rule
>> "at least one DS must match for a child zone to be authenticated" is
>> wrong if a broken DS is present. In our case, the field Algorithm in
>> the DS did not match the one in the DNSKEY. While there was another
>> correct DS for the child zone, Unbound 1.4.6 servfails. So, the
>> incorrect DS made the child zone bogus.
> 
> This should not happen, can you send me details, the DS records involved
> (and perhaps the DNSKEY records) ?  They are of the same algorithm, I
> assume?

Stephane sent me details off-list.  Turns out to be the RFC4509 rules
that unbound follows, that intends to avoid downgrade attacks.  Here it
caused a failure though one record was correct.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNx8GaAAoJEJ9vHC1+BF+NtL8P/jeej8RfJT+EENinrKifiSET
dWpk7TSNbP7FIi1dxTrXPXWBB0e++YEHbP+RqUvPLuK5PXvkfdYQg/ntgABoMWkI
SH511zB7LcBCLl2gw4NPopdDmv4Brj64Fwi+iZO5mzZpYBRl+s49s+Opcjzr2m6X
aQktmj/Emwj4bN7K7a+J4KDr6xJCGHaQbjDpxmq4I+ohfoBVsyAPWQeXbwHSH3+T
REqYLNNDR/oEPbVAP+3RLffm2PgGJKt538hux1I54rCHR9eKItBiHZ/o8Ex/Hr+u
4vRF4je0BWckQ757jypsV2U5ASQy2M2aTsCehvlOsRXoDjJ1dzQ5WcWHBdXUQwo6
DLKe6wEDm3hbOF02QLBm3oC6h7BHCXJbCuus4VJQAa6iOwxrd4hPUBKuELzDx7tz
x9nB6XAmeMW8SqGCA2Skt1jFaBtJSPmJkRS32vv1PV3OGmJ6M5M1d0vjy5A13F3O
3GeAmBCHsMxicXxNyYcCZnXzrb+yfxNUIdaApRfrq/COzjjCxW0G4YBHSb0jCRww
AJByculAPpm21CDOBTK49eiNNOTrAhRijRtoDosXTB8wEAVyskkBIRn3c7dXwOTr
AWOH9yroyCSo3YQVOW7vEGqeMGKftkGpScr+sJuL+CukRT5DeJWRTDnlAbI+S5te
TVGGy5Qq8MMYAYWlAcL1
=tFEJ
-----END PGP SIGNATURE-----