[Unbound-users] [DNSSEC] Resolver behavior with broken DS records

lst_hoe02 at kwsoft.de lst_hoe02 at kwsoft.de
Mon May 9 10:43:43 UTC 2011


Zitat von "W.C.A. Wijngaards" <wouter at NLnetLabs.nl>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/07/2011 10:13 AM, W.C.A. Wijngaards wrote:
>> On 05/06/2011 04:09 PM, Stephane Bortzmeyer wrote:
>>> In an (involuntary) experiment under .FR, I discovered that the rule
>>> "at least one DS must match for a child zone to be authenticated" is
>>> wrong if a broken DS is present. In our case, the field Algorithm in
>>> the DS did not match the one in the DNSKEY. While there was another
>>> correct DS for the child zone, Unbound 1.4.6 servfails. So, the
>>> incorrect DS made the child zone bogus.
>>
>> This should not happen, can you send me details, the DS records involved
>> (and perhaps the DNSKEY records) ?  They are of the same algorithm, I
>> assume?
>
> Stephane sent me details off-list.  Turns out to be the RFC4509 rules
> that unbound follows, that intends to avoid downgrade attacks.  Here it
> caused a failure though one record was correct.

That means higher grade hashes were invalid and no fallback will be  
done to the lower grade in this case?

Regards

Andreas





More information about the Unbound-users mailing list