To:
dnssec@cafax.se
From:
"Stephan Jager" <stephan@nlnetlabs.nl>
Date:
Fri, 04 May 2001 14:07:11 +0200
Sender:
owner-dnssec@cafax.se
Subject:
SIG over KEY problem
In my previous email I wrote down 2 digs to show a problem. I understand that this did not explain the problem very clearly, so let me try again. I'm writing a secure aware stub-resolver, which - uses an arbitrary (untrusted) forwarder. - checks top-down whether a zone is secured or not. - checks up to the final SIG if so. As an example, let's look up the MX for nlnetlabs.nl.nl. We start at "nl.nl", which is a preconfigured secure entry point in my stub-resolver. Using an external nameserver as forwarder, I get as expected: - the KEY for nlnetlabs.nl.nl - the SIG from the nl.nl-KEY over the nlnetlabs.nl.nl-KEY This is OK. However, using a forwarder, which happens to be also authoritive for nlnetlabs.nl.nl, I get: - the KEY for nlnetlabs.nl.nl (this is OK) - the SIG from the nlnetlabs.nl.nl-KEY over the nlnetlabs.nl.nl-KEY (the self-sig, which is useless for the resolver). The question I now have is whether I should change the resolver to explicitely choose anther forwarding server (apart from making it much more complicated, it prohibids its use behind a firewall), or whether the forwarder should be changed, or the protocol? Stephan. (thanks Ted :)