Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month, online, via Jitsi Meet.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] DNSSEC

"Edward Ned Harvey (blu)" <blu at nedharvey.com> writes:

> In short, the question is:
>
> What is the behavior of an old dns caching server, when it receives a
> client query for record types that it is too old to understand?  Is it
> able to dumbly relay that query upstream, and dumbly relay the
> response back?
>
> The answer to this question essentially determines whether or not
> DNSSEC is broken.

The answer is "it depends on the caching server", however in my hasty
tests it looks like servers even as old as 2009 (e.g. Bind 9.6.1)
support DNSSEC pass through.  E.g.:

  dig @old-server verisignlabs.com +dnssec

gives me RRSIG results.  This is as it should be.

Obviously YMMV, but DNS is designed so that a caching server does not
need to fully understand the contents of RRs in order to request, cache,
or serve them.  However there are some specific DNSSEC processing
requirements, so very old DNSSEC-unaware caching servers may not
properly send RRSIGs in the authority section properly.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available
BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix / webmaster@blu.org