[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


To: "Stephan Jager" <stephan@nlnetlabs.nl>
Cc: dnssec@cafax.se
From: Olaf Kolkman <OKolkman@ripe.net>
Date: Sun, 06 May 2001 16:41:56 +0200
Delivery-Date: Mon May 7 08:40:12 2001
In-reply-to: Your message of Fri, 04 May 2001 14:07:11 +0200. <200105041207.OAA19635@catv8013.extern.kun.nl>
Sender: owner-dnssec@cafax.se
Subject: Re: SIG over KEY problem




Hi Stephan,

Although still a little confused I think I understand what is
happening.

 * Using an external nameserver as forwarder, I get as expected:
 * - the KEY for nlnetlabs.nl.nl
 * - the SIG from the nl.nl-KEY over the nlnetlabs.nl.nl-KEY
 * This is OK.


Is this really what you expect? Where is the SIG over the
nlnetlabs.nl.nl KEY located in your setup, at the parent apex isn't
it? I do not expect current bind tools to have the knowledge that the
key is at the parent. I would expect a forwarder that has nothing to
do with .nl.nl and nlnetlabs.nl.nl to return the KEY for
nlnetlabs.nl.nl and a SIG by nlnetlabs.nl.nl in the answer section.

In the example you used previously you did not use a completely
independent forwarder. 193.0.0.202 is configured as a slave for .nl.nl

This slave server for .nl.nl has the authoritative answer for the SIG
over nlnetlabs.nl.nl made by .nl.nl. It has no knowledge of the SIG
made by nlnetlabs.nl.nl because it is not authoritative for the
nlnetlabs.nl.nl zone where that SIG is stored. 

 * However, using a forwarder, which happens to be also
 * authoritive for nlnetlabs.nl.nl, I get:             
 * - the KEY for nlnetlabs.nl.nl (this is OK)          
 * - the SIG from the nlnetlabs.nl.nl-KEY over the     
 *    nlnetlabs.nl.nl-KEY (the self-sig, which is useless for
 *    the resolver).
 * 
 * The question I now have is whether I should change the resolver
 * to explicitely choose anther forwarding server (apart from making
 * it much more complicated, it prohibids its use behind a firewall),
 * or whether the forwarder should be changed, or the protocol?      

This is actually the answer you get from a truly independent forwarder
(see below).  I wonder what happens if you ask a forwarder that is
authoritative for both .nl.nl and nlnetlabs.nl.nl.... Will one get
both Wigs? (Hey it's Sunday, the experiment has to wait :-) ) If
draft-ietf-dnsext-parent-sig-01.txt gets implemented servers that are
authoritative for both child and parent should know from which zone it
should hand it's SIG data or hand out the SIGs from both zones.


For now, I think you should learn your resolver that the parent is
authoritative for the SIG and that the chaser should explicitly ask
the parent for the SIG over the childs key.


--Olaf


Query to an "independent" forwarder

dig KEY +dnssec nlnetlabs.nl.nl @127.0.0.1

; <<>> DiG 9.1.1 <<>> KEY +dnssec nlnetlabs.nl.nl @127.0.0.1
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35315
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version:    0, udp=   4096
;; QUESTION SECTION:
;nlnetlabs.nl.nl.		IN	KEY

;; ANSWER SECTION:
nlnetlabs.nl.nl.	3600	IN	KEY	256 3 1 AQO+IQlM8PmCJ52so8Kf5jVp
4wE3RrgsvR86mNps1/2Ihpw28fdt4BiS yUNIESzCiiNDLpAa9Npgr0Al26pM8VtgQKOuRCdBh/iSVAe
qvLxdEqc/ /+x0lXg+EULWvGw76Ec=
nlnetlabs.nl.nl.	3600	IN	SIG	KEY 1 3 3600 20010512110312 2001
0201110312 15336 nlnetlabs.nl.nl. HBPBgd2ZJ7vMgog12WUPrTC1itT8/1jn9yu2NQzgM7Wdvi
c6DWmgO2L6 JMrbZYf/p3hVYK+ApIN2dcx8al1sJTof7PX2b5GWXMCKrmHN8DpIsP4b 1+OxRBur9xtV
OJSc

;; AUTHORITY SECTION:
nlnetlabs.nl.nl.	86400	IN	NS	open.nlnetlabs.nl.nl.
nlnetlabs.nl.nl.	86400	IN	NS	omval.tednet.nl.
nlnetlabs.nl.nl.	86400	IN	SIG	NS 1 3 86400 20010524112159 2001
0424112159 15336 nlnetlabs.nl.nl. UN0YwZSbOBykVEKUhnOPp+f1qj54Pq9VfEMeMuYZUO7cP9
Bei+2wbbTI zRcLzDsF7typKOHVTO9p30aRommkDm1uKh86hu5pZ7srzs78U/9V/wKS LCIpBbVK8R2w
kJHf

;; Query time: 529 msec

Home | Date list | Subject list