[nsd-users] wildcard+ANY validation issue between NSD and Unbound
wouter at nlnetlabs.nl
Fri Feb 24 18:00:44 CET 2012
-----BEGIN PGP SIGNED MESSAGE-----
On 02/24/2012 05:53 PM, Miek Gieben wrote:
> [ Quoting <wouter at NLnetLabs.nl> at 17:19 on Feb 24 in "Re:
> [nsd-users] wild..." ]
>> Unbound does validate RRSIGs on data from ANY queries. Because
>> the reasoning is that it has to protect its downstream client
>> from bogus data. And the downstream client may be old (i.e. do
>> ANY queries for mail and no DNSSEC) and need to be given
>> SERVFAIL. Thus, it validates the data. It does not check if the
>> data is complete (i.e. with the NSEC) because it may indeed be
>> partial from the cache.
>> It also validates data where someone does a +norec query to
>> unbound and its not in cache and thus a cache-referral is
>> returned. This data is then also validated (the 'proof' consists
>> of checking the signatures).
> But what if an RRSIG expires from the cache and then you get an
> ANY query? Unbound is then forced to give out an incomplete answer.
An RRSIG cannot expire on its own. If the TTL expires, then the data
it came with has expired too. If the expiration-date hits, well if
the TTL is longer than expiration (and the signature is valid) then
the TTL is reduced. So if the RRSIG expires, then its TTL has expired
and so has the TTL on the data :-)
> That's interesting to read and a real nice way of dealing with the
> additional section and DNSSEC.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the nsd-users