Maintained by: NLnet Labs

[Unbound-users] [DNSSEC] Resolver behavior with broken DS records

lst_hoe02 at kwsoft.de
Mon May 9 12:43:43 CEST 2011


Zitat von "W.C.A. Wijngaards" <wouter at NLnetLabs.nl>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/07/2011 10:13 AM, W.C.A. Wijngaards wrote:
>> On 05/06/2011 04:09 PM, Stephane Bortzmeyer wrote:
>>> In an (involuntary) experiment under .FR, I discovered that the rule
>>> "at least one DS must match for a child zone to be authenticated" is
>>> wrong if a broken DS is present. In our case, the field Algorithm in
>>> the DS did not match the one in the DNSKEY. While there was another
>>> correct DS for the child zone, Unbound 1.4.6 servfails. So, the
>>> incorrect DS made the child zone bogus.
>>
>> This should not happen, can you send me details, the DS records involved
>> (and perhaps the DNSKEY records) ?  They are of the same algorithm, I
>> assume?
>
> Stephane sent me details off-list.  Turns out to be the RFC4509 rules
> that unbound follows, that intends to avoid downgrade attacks.  Here it
> caused a failure though one record was correct.

That means higher grade hashes were invalid and no fallback will be  
done to the lower grade in this case?

Regards

Andreas