[nsd-users] wildcard+ANY validation issue between NSD and Unbound

W.C.A. Wijngaards wouter at nlnetlabs.nl
Fri Feb 24 17:00:44 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Miek,

On 02/24/2012 05:53 PM, Miek Gieben wrote:
> [ Quoting <wouter at NLnetLabs.nl> at 17:19 on Feb 24 in "Re:
> [nsd-users] wild..." ]
>> Unbound does validate RRSIGs on data from ANY queries.  Because
>> the reasoning is that it has to protect its downstream client
>> from bogus data.  And the downstream client may be old (i.e. do
>> ANY queries for mail and no DNSSEC) and need to be given
>> SERVFAIL.  Thus, it validates the data.  It does not check if the
>> data is complete (i.e. with the NSEC) because it may indeed be
>> partial from the cache.
>> 
>> It also validates data where someone does a +norec query to
>> unbound and its not in cache and thus a cache-referral is
>> returned.  This data is then also validated (the 'proof' consists
>> of checking the signatures).
> 
> But what if an RRSIG expires from the cache and then you get an
> ANY query? Unbound is then forced to give out an incomplete answer.
> 
An RRSIG cannot expire on its own.  If the TTL expires, then the data
it came with has expired too.  If the expiration-date hits, well if
the TTL is longer than expiration (and the signature is valid) then
the TTL is reduced.  So if the RRSIG expires, then its TTL has expired
and so has the TTL on the data :-)

> That's interesting to read and a real nice way of dealing with the 
> additional section and DNSSEC.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPR8I8AAoJEJ9vHC1+BF+NjX4P/2NTamngv5KztmhU5yqf9Lq7
WvoKFd+6TV6g3dgnw1NbwN3OUPGRLE9CZsf+lrWYg1oQftt0xHMpK7iujqoIfK5o
QsrM4qdV1iRnCe2BCiDTf6cUQgOTwfZdB5suBKlWBsqGUahCZguPGKWNoOCdW73A
lFeHqtpHtzgaTuCvdbksyTGe0D7aQXtV5S7H8JzV/oV7UJQoBJP97HU5cygLU3EQ
3SxhFKQHSVY0R9qKKDhYfE6IWKffwweLHY7F8LiOKFbLPTFrnUyrIj5HCHwBSlN7
webB/DtVlqcp1vvnOxlVyJb4qDwGWUMySWX48hXY6PgKjyPFbXOksL+jORI6XSOX
uuGADYolHeU/UBmwEJgkYY/aIltxtIyXy/RVeGGMn9DZ8Pl/makdE6m38h2PtAid
g90FBfFCHaPjhD60g+5BYZHgDNZ8vGCF+K1yB6GTgoLJyXNJ916zCvNxxQPnkgEA
2Fhh9998ESLpJJvUayhsPKNMhPougsdK7vFlaa8mRsoFAuUDUksL2UKve5XoHB3a
WAtP1YdhS9lovmqqUeRfxrQZel7XjzAUfBwQvdTH54IRtRcqFwvhvb5SqAypVf2S
79c8gaicG86CSAp1b83C+lbhl5ueelFNbuqkGxgvb5qhBiKwn3dlKJ4EskchbYlq
G3SYRVjfNez1LXtd21gH
=zde+
-----END PGP SIGNATURE-----



More information about the nsd-users mailing list