[nsd-users] wildcard+ANY validation issue between NSD and Unbound
wouter at nlnetlabs.nl
Fri Feb 24 17:19:00 CET 2012
-----BEGIN PGP SIGNED MESSAGE-----
On 02/24/2012 05:00 PM, Miek Gieben wrote:
> [ Quoting <peter.van.dijk at netherlabs> at 14:37 on Feb 24 in "Re:
> [nsd-users] wild..." ]
>>> That's because ANY has been loosly defined (I'm not sure there
>>> is a written down definition) as give me the records you've
>>> got. In case you hit a cache with an ANY query there is no
>>> guarantee what so ever that it should all validate. I think
>>> that even for authoritative servers you can pretty much do what
>>> you want if it receives a QTYPE = ANY.
>> While that is true, I feel that whatever an auth chooses to serve
>> up for ANY would still consist of zero or more RRsets, which
>> means the RRSIGs and NSECs that go with them could validate.
> That would indeed be a nice thing to do if you are an auth. server.
> But such a rule still doesn't help a resolver hitting a cache
> (which, for whatever reason, just doesn't have the RRSIG).
Unbound does validate RRSIGs on data from ANY queries. Because the
reasoning is that it has to protect its downstream client from bogus
data. And the downstream client may be old (i.e. do ANY queries for
mail and no DNSSEC) and need to be given SERVFAIL. Thus, it validates
the data. It does not check if the data is complete (i.e. with the
NSEC) because it may indeed be partial from the cache.
It also validates data where someone does a +norec query to unbound
and its not in cache and thus a cache-referral is returned. This data
is then also validated (the 'proof' consists of checking the signatures).
Unbound takes the same view to additional section RRs. Those are not
really required always and to be validated, but to protect the client
from bogus data it will verify the RRsets there. If some a bogus, but
the message can be make secure by simply removing it, then the
additional RRset is removed (this means, an RRSIG that does not fit at
the end does not make the message bogus).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the nsd-users