To:
"Stephan Jager" <stephan@nlnetlabs.nl>
Cc:
dnssec@cafax.se
From:
Olaf Kolkman <OKolkman@ripe.net>
Date:
Sun, 06 May 2001 16:41:56 +0200
Delivery-Date:
Mon May 7 08:40:12 2001
In-reply-to:
Your message of Fri, 04 May 2001 14:07:11 +0200. <200105041207.OAA19635@catv8013.extern.kun.nl>
Sender:
owner-dnssec@cafax.se
Subject:
Re: SIG over KEY problem
Hi Stephan, Although still a little confused I think I understand what is happening. * Using an external nameserver as forwarder, I get as expected: * - the KEY for nlnetlabs.nl.nl * - the SIG from the nl.nl-KEY over the nlnetlabs.nl.nl-KEY * This is OK. Is this really what you expect? Where is the SIG over the nlnetlabs.nl.nl KEY located in your setup, at the parent apex isn't it? I do not expect current bind tools to have the knowledge that the key is at the parent. I would expect a forwarder that has nothing to do with .nl.nl and nlnetlabs.nl.nl to return the KEY for nlnetlabs.nl.nl and a SIG by nlnetlabs.nl.nl in the answer section. In the example you used previously you did not use a completely independent forwarder. 193.0.0.202 is configured as a slave for .nl.nl This slave server for .nl.nl has the authoritative answer for the SIG over nlnetlabs.nl.nl made by .nl.nl. It has no knowledge of the SIG made by nlnetlabs.nl.nl because it is not authoritative for the nlnetlabs.nl.nl zone where that SIG is stored. * However, using a forwarder, which happens to be also * authoritive for nlnetlabs.nl.nl, I get: * - the KEY for nlnetlabs.nl.nl (this is OK) * - the SIG from the nlnetlabs.nl.nl-KEY over the * nlnetlabs.nl.nl-KEY (the self-sig, which is useless for * the resolver). * * The question I now have is whether I should change the resolver * to explicitely choose anther forwarding server (apart from making * it much more complicated, it prohibids its use behind a firewall), * or whether the forwarder should be changed, or the protocol? This is actually the answer you get from a truly independent forwarder (see below). I wonder what happens if you ask a forwarder that is authoritative for both .nl.nl and nlnetlabs.nl.nl.... Will one get both Wigs? (Hey it's Sunday, the experiment has to wait :-) ) If draft-ietf-dnsext-parent-sig-01.txt gets implemented servers that are authoritative for both child and parent should know from which zone it should hand it's SIG data or hand out the SIGs from both zones. For now, I think you should learn your resolver that the parent is authoritative for the SIG and that the chaser should explicitly ask the parent for the SIG over the childs key. --Olaf Query to an "independent" forwarder dig KEY +dnssec nlnetlabs.nl.nl @127.0.0.1 ; <<>> DiG 9.1.1 <<>> KEY +dnssec nlnetlabs.nl.nl @127.0.0.1 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35315 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, udp= 4096 ;; QUESTION SECTION: ;nlnetlabs.nl.nl. IN KEY ;; ANSWER SECTION: nlnetlabs.nl.nl. 3600 IN KEY 256 3 1 AQO+IQlM8PmCJ52so8Kf5jVp 4wE3RrgsvR86mNps1/2Ihpw28fdt4BiS yUNIESzCiiNDLpAa9Npgr0Al26pM8VtgQKOuRCdBh/iSVAe qvLxdEqc/ /+x0lXg+EULWvGw76Ec= nlnetlabs.nl.nl. 3600 IN SIG KEY 1 3 3600 20010512110312 2001 0201110312 15336 nlnetlabs.nl.nl. HBPBgd2ZJ7vMgog12WUPrTC1itT8/1jn9yu2NQzgM7Wdvi c6DWmgO2L6 JMrbZYf/p3hVYK+ApIN2dcx8al1sJTof7PX2b5GWXMCKrmHN8DpIsP4b 1+OxRBur9xtV OJSc ;; AUTHORITY SECTION: nlnetlabs.nl.nl. 86400 IN NS open.nlnetlabs.nl.nl. nlnetlabs.nl.nl. 86400 IN NS omval.tednet.nl. nlnetlabs.nl.nl. 86400 IN SIG NS 1 3 86400 20010524112159 2001 0424112159 15336 nlnetlabs.nl.nl. UN0YwZSbOBykVEKUhnOPp+f1qj54Pq9VfEMeMuYZUO7cP9 Bei+2wbbTI zRcLzDsF7typKOHVTO9p30aRommkDm1uKh86hu5pZ7srzs78U/9V/wKS LCIpBbVK8R2w kJHf ;; Query time: 529 msec