[DNSOP] Neither authenticated nor SERVFAIL
Mats Dufberg <mats.dufberg@internetstiftelsen.se> Thu, 09 December 2021 17:16 UTC
Return-Path: <mats.dufberg@internetstiftelsen.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98E533A03FF for <dnsop@ietfa.amsl.com>; Thu, 9 Dec 2021 09:16:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=internetstiftelsen.se header.b=RSIW0j9u; dkim=pass (1024-bit key) header.d=internetstiftelsenisverige.onmicrosoft.com header.b=HGJcaDpD
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w3ahOYXFjB2F for <dnsop@ietfa.amsl.com>; Thu, 9 Dec 2021 09:16:09 -0800 (PST)
Received: from relay2.iis.se (relay2.iis.se [IPv6:2001:67c:124c:7317::16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1171B3A1042 for <dnsop@ietf.org>; Thu, 9 Dec 2021 09:16:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=internetstiftelsen.se; s=iis2015; h=mime-version:content-type:message-id:date:subject:to:from:from; bh=tqHMFThd2HqbeQj7m2R56EYFgvdTbodZdPlsFN8dMU4=; b=RSIW0j9ufz4EsLEw7Oz9LS31WjvuZE9O2VOqLnf5tlBNcyQ0VqEWkNj268quxu1v9YPFeMtm6/mpT yuSNkNy2yzoLnVpG38huvtWvya8shMstDqEJHL8X+zWqCyUWXiZ42yiLAN1UENMSxsKIeeS78eUmo3 UUBpH7kN3/2W6zAg=
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04lp0201.outbound.protection.outlook.com [2a01:111:f400:7e0e::201]) by relay2.iis.se (Halon) with ESMTPS id b0377e08-5913-11ec-b2db-00505682e997; Thu, 09 Dec 2021 17:16:04 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=k0L7+4lf/6Nd900WY+JtXHsqK7MeKSsJUAv0UpBmiiJclmKtoTAqV2Z4KscSRJXazu0m1lIMgY9RfaTo2mkmzWYC9W1Cw2hHhBdsh9s7O/Jk4JFGlyw3TiNBcie3P1IA5oNBjQVKisHjTQb7ydLZPTQG2VXg9nsy7+gwE1CouVomuwSepxBaAbWF6jZZO6tlA/uIZNa48Jk6hb/yUNKwH77vg43Rnj9JCuh9RkZqNgmOpUFKfzpo1HMPa/PDM4z6FUMrGx5topxXVbe+x3mqVkJGRCddMra2WWM6ehEx0bbMqsj7LZnJtEvzCzPbFDROGGiHiRTfDOQNvgSvv0IUjg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tqHMFThd2HqbeQj7m2R56EYFgvdTbodZdPlsFN8dMU4=; b=FumCEL/XJDGUl+CUHQ11DPyIflD1cALL5UR4i3zkjZzDQizcA1OrpTRwfp3W693FBilTaxbtk2DbuQEG71+m7bglsbGan5siblUzXCMvMLBeEMzRbpZ3mUvzaXFIHrOMWxvi/tI6P1MKwrGcxjFqM759IfujE33LdVMfxvtteBqwO2sA6rXfUACkZ4gRja6pqazby8BHZL+cJZqkDOt05oRoIRa5dIkeW7w1vXj23KgzkSjaTNYELjubV9TykpHRwaDBiDHicuQKtMRMv+MBzdbCnTMTQCRykumM4hbQUzqVYAuy6zJhrScLIogbQNx/Bmu7cDafPZOeo07dgXASXQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=internetstiftelsen.se; dmarc=pass action=none header.from=internetstiftelsen.se; dkim=pass header.d=internetstiftelsen.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=internetstiftelsenisverige.onmicrosoft.com; s=selector1-internetstiftelsenisverige-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tqHMFThd2HqbeQj7m2R56EYFgvdTbodZdPlsFN8dMU4=; b=HGJcaDpDoREDrse+CyXZUTXMlP4iWMentt7ZOkLn2KxnUBQkuCJMbAiAa1nGdIeCrDISBqaRSDpsNpZijjb1QNLMakBblQ8RCZOdsaIm7KEWodWD9Xd2GSI4Zu71deZ1srj0LP3ICkQM/4MjxMEy/1oUHIsjQODZXizpfRXvBUM=
Received: from AS8P193MB1511.EURP193.PROD.OUTLOOK.COM (2603:10a6:20b:392::16) by AS8P193MB1608.EURP193.PROD.OUTLOOK.COM (2603:10a6:20b:39e::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.20; Thu, 9 Dec 2021 17:16:03 +0000
Received: from AS8P193MB1511.EURP193.PROD.OUTLOOK.COM ([fe80::296c:8f90:2189:6aff]) by AS8P193MB1511.EURP193.PROD.OUTLOOK.COM ([fe80::296c:8f90:2189:6aff%5]) with mapi id 15.20.4755.023; Thu, 9 Dec 2021 17:16:02 +0000
From: Mats Dufberg <mats.dufberg@internetstiftelsen.se>
To: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: Neither authenticated nor SERVFAIL
Thread-Index: AQHX7SBxFdWDaMaVM0W3jT3WyJvQNw==
Date: Thu, 09 Dec 2021 17:16:02 +0000
Message-ID: <75DAAA44-9E0A-4A26-B98C-74FD01B65CA5@internetstiftelsen.se>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.54.21101001
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=internetstiftelsen.se;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 36cd15f8-43af-4afd-b695-08d9bb3793f7
x-ms-traffictypediagnostic: AS8P193MB1608:EE_
x-microsoft-antispam-prvs: <AS8P193MB1608C941681C18991077CD0894709@AS8P193MB1608.EURP193.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4g3+qAmPJNhr3ZqcgnbmpSxP39Zwgx2fEmYicZI4dUiOaOpSx3wxm+qwzJYoCDzYHZjjThyikyaFTE836U72mkikVSLnU1bASxRPSxx8/EiZ3xgjJ8osjDKo6Wos6v+lEVmut+uGB5a5Qxt0pEwUMXnkFTh5WdYRdiJ+gYAacrKZTXrk2BpGHKffV4tDh04z3RhOPcl6o7NSAK7ZPf73qYwCsClbEyFhfYAUvwgEK2W4JJOZ/G3dHNK3850cVXJWGAJFt2EiJQI+SkVty7mjxrsMK6GnPpMnQ+p0ai7bUuVWLmoUf2duqEUtYfRq8hEnjzcaX7zF7UI70PF0NEQVludV3ao218ZaF8CRI0fM/8KFaMmbWcePVKrKIxthLM4MCIesfoYFH46qwXk66ilVb30ryCu53U+ujQjL8n8st6gsJegi2zMWyvjLjxuviHxGnXdUpIjO+L1auc6Y1dAM13ubEj2YWn1CaPtuJsGkgUbwZLk5NQ9emnuDt03WvjDm0qqvOg/fTsblgPwkdBtTv3WmD9S9LerHhBIfmgU7FPah5He2bA8xJuX4NB61d0m3vnDpHGEBVsxeneVNX/jEuQj0EvJAOxmC3/jPaYK13ni7J9k5ardXr7C1ErRG+ic2bM95Q/jyxponTB1NI44DZeajGX+d4W6TXFGXLCcP31mXlb8z/fDXwppuyyMVNl6Suywchb51bwPWSu6+9PkFfEuYPW/7/1mSsRC/+EW9rDIfBisCG50G6Sqhrc3cuTg6A70TVUjmKH2uVhuaxzMFfn4qsNi0ui2O5kh99gPGZDOOJmXubz6ypl6SU8EHJig/GXk/iS+JaekDgidbSPLtGBM2QzOw3f5jbVbtQCGkcEs=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AS8P193MB1511.EURP193.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(39840400004)(396003)(376002)(346002)(136003)(3480700007)(6506007)(71200400001)(122000001)(508600001)(6512007)(6916009)(966005)(5660300002)(186003)(44832011)(66574015)(38100700002)(6486002)(83380400001)(2906002)(86362001)(66946007)(38070700005)(316002)(76116006)(64756008)(2616005)(66446008)(8936002)(8676002)(66556008)(91956017)(33656002)(66476007)(36756003)(45980500001)(47845001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: J9O1+Px+33PWJ/yLR4Qku5pw4p1+xrJ8m13Ie92fqU333SqX+yNUA44en4LiIoa06dWdF/H5TVZxgrQ3luang8qTyC/Up6MMbkdC02XCbMaQqntlTxtNqcqG+XwFKjnMWbQtIVV65j6McRFV2M3aprJPl02DVaICRE8QDjEhJzQ2K30pQ1XNhvW8PlhlLwyNX6gJbk+Pi19a+9uzuEh2Kk6Wf2fJNMWdSNpykJvYFggpBSoZWNTp8We/AvjxYms9wtLu2JdtsZJ6Anzkd9K/8/QIA8VSssA0xwdnQyaYCI6Yypod26Fc4D9Epq9ES8xj6ELP1DNbXAXs5Itj2tBhRzVrxZw/QifBL4jnPdaRCH3e+N+nW+cpmgK0HU5+QXJ6sRne1HVYzRBB9aDKjAdzHjq9uGoPBWerj2knBorbGcN2YvYZmHjC/7KSHdm/OSm2nwVkStV7/WndC6Sib4pW6cgwmvmQKAq9k/JQQwxEB0tDpxzri0eDdNAyv74lAnv8VhbQtmwP7vAriFWDFejY+aH0Qg6Mni78OzpBW1NrIY4dVtbKpkl2kg3Dn7hcDIvowjwCLlupJrY50FRS9/Tt958C5eUkVFELwCAPg9qZnxlKat+Gx3p4lm60gQMRoqxje3FrCVDMO1SvDqEPkFDZnyezCennTwpVeH/g43FQWxEvM7MX18S3S/AFIZQKW9bmAgpBOBHmW4lkLENqX2wB82F+KTLb5d6VoUeuyY454G11atVZUwgPeZj/cdDKhnqbF2sw8utDxjuaVXBBpChAZLDEHNxp9Z2smhrvQv5XPNK9LnGcStt2GPCP8Frilc8MmDUe/LYMvLVLwPeQqXCfNLMzjck24/iYZfZBYp2eWjhGONOYRqyE0Rs0I5HZ8iQ53MBYt2IEuCNJXYNHfujW26acNhg8R9uHjPBWfuyQ8S7dEoyF5WnvncBFxLpAncJ8GiAIOaB1iAc4gJK9P4EES7i1f4WrJwSOhHYD/x29t1Y5ld/z5p111bfhw6q2kKgqKbXPmJGT1dV4JW8kPr8kpa9RyF4CqFWrZVh5jIH1nKgBN85qY6Yak9HB4SRu6hMgi5X0Bczecw+JqYWuNjGN3yASCPgB8OtvnySGiizYSwwF3cWIKJFGp7Mt8+BEipfwAoE+hj5/+iN6MEn3uIqYYgILCn9QYaEzs5Np9/QNoKV3wY50qM2Hje09DypNiN1tGBzEshCbAxslWyGMO7S5tZtWPCMWn1GkrtEB0CyrweKgBnIMBai5tUETGP1yUMYUAB05xuF+nfzSPAjRbV9EEtPuJwLOYmsunNtxbY1pVQJbIOQGKeBo47uefZFG3HbOQ2Bejhla2W/q3+w+ZIQObyquyqIzukxovQNeZuWBjlOkAXl9idEvS7gXwRxV5HosCytfioCG/AMHdTh9fHodxTqZGUxDuThQnjXOa87bDAa8J72yE0pk19AOu7VzS1Oyv0SXztY2FlihBtZGZCN2VR00RpuCtJ76aBnfnznkTcgDKr5GXCUbTpcCP9dQCx08ERkZbuxw0+d/r1xZ4f3OZfD3Mg9Zzqp3RoI8nHcHlphKgs0oBwKvDStMm2hYo9FczDRrvg+16+S6ZXh1FTRovzUZU+GQ+ZkgXUE0Qxc0sn7CgUbFicryH6Swo53GlK40WHMBrXZWcBGjWi10CO1kwpgSNPzUEyQ7z5SQ/9wIRh78KRdxk384phn9rq5CHkamCRIL+HRTR7XTExZqZXxxu60QV71trI4oD5FBRfoAgGmPyK/g3gZA2ER3XPgPsg43
Content-Type: multipart/alternative; boundary="_000_75DAAA449E0A4A26B98C74FD01B65CA5internetstiftelsense_"
MIME-Version: 1.0
X-OriginatorOrg: internetstiftelsen.se
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS8P193MB1511.EURP193.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 36cd15f8-43af-4afd-b695-08d9bb3793f7
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Dec 2021 17:16:02.9091 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c2aa68f8-18f3-48ae-81ba-02301d121d9a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 96V/Aq1BP/cWKX20e+VHoNhqYifulAEmRmkD4VjMlNKKHUvtDXzLowZxDDcqJorPW8twWPgStolrzu1xdfP8v4ApIDM1ZcqHpjhLHiVltJHzfzl0S/l6+72kieZvnLJk
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8P193MB1608
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/5eEwP3QHEbtEej-h0VxAMGAm7LU>
Subject: [DNSOP] Neither authenticated nor SERVFAIL
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Dec 2021 17:16:15 -0000
A validating resolver is expected to either return the AD flag for authenticated data or SERVFAIL for data that cannot be authenticated when answering for data in a signed zone. I have here an example of a signed zone that resolvers return data from that is neither AD set nor SERVFAIL. If you query for "lindforslaw.se A" you will get an authenticated answer (AD): ; <<>> DiG 9.10.6 <<>> lindforslaw.se A +dns +mult @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13333 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 There is a wildcard record in the zone, and if you query for that you will also get authenticated answer, as expected. ; <<>> DiG 9.10.6 <<>> *.lindforslaw.se A +dns +mult @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30395 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 (...) ;; ANSWER SECTION: *.lindforslaw.se. 3408 IN A 194.9.94.86 *.lindforslaw.se. 3408 IN A 194.9.94.85 *.lindforslaw.se. 3408 IN RRSIG A 8 2 3600 (...) If you query for something that matches that wildcard, e.g. "x.lindforslaw.se A", then AD is not set, but it is not SERVFAIL. ; <<>> DiG 9.10.6 <<>> x.lindforslaw.se A +dns +mult @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10661 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1 (...) ;; ANSWER SECTION: x.lindforslaw.se. 3600 IN A 194.9.94.86 x.lindforslaw.se. 3600 IN A 194.9.94.85 x.lindforslaw.se. 3600 IN RRSIG A 8 2 3600 (...) When data comes from a signed zone, then if the resolver can validate the response, it should set the AD flag, else return a SERVFAIL. Does anyone disagree? Does anyone have an explanation to the behavior? I get the same responses from different resolvers. Mats -- --- Mats Dufberg mats.dufberg@internetstiftelsen.se Technical Expert Internetstiftelsen (The Swedish Internet Foundation) Mobile: +46 73 065 3899 https://internetstiftelsen.se/
- [DNSOP] Neither authenticated nor SERVFAIL Mats Dufberg
- Re: [DNSOP] Neither authenticated nor SERVFAIL Vladimír Čunát
- Re: [DNSOP] Neither authenticated nor SERVFAIL Paul Vixie
- Re: [DNSOP] Neither authenticated nor SERVFAIL Mark Andrews