Re: [DNSOP] Unexpected REFUSED from BIND when using example config from RFC7706

Paul Vixie <> Fri, 07 April 2017 02:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 681641294A2 for <>; Thu, 6 Apr 2017 19:01:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NEtsMOqtwxAy for <>; Thu, 6 Apr 2017 19:01:43 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9A121124D6C for <>; Thu, 6 Apr 2017 19:01:43 -0700 (PDT)
Received: from linux-hs2j.localnet ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id AFBC261F9C; Fri, 7 Apr 2017 02:01:41 +0000 (UTC)
From: Paul Vixie <>
Date: Fri, 07 Apr 2017 02:01:40 +0000
Message-ID: <1560750.L0Fn6CvLxk@linux-hs2j>
Organization: Vixie Freehold
In-Reply-To: <f321b974-2149-478d-9b63-a19d10ed013e@Spark>
References: <> <2448193.4rPzoQ60ob@linux-hs2j> <f321b974-2149-478d-9b63-a19d10ed013e@Spark>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="nextPart82869878.r0rjZrIh4N"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] Unexpected REFUSED from BIND when using example config from RFC7706
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 07 Apr 2017 02:01:46 -0000

On Friday, April 7, 2017 12:51:40 AM GMT David Conrad wrote:
> Paul,
> On Apr 6, 2017, 2:24 PM -1000, Paul Vixie <>, wrote:
> > the proviso is, RFC 7706 is also completely unsuitable for non-hardcore or
> > non-experienced or non-protocol-geeks;
> ... This strikes me as a bit more complicated than 7706. YMMV.

yes, it does.

> > and both approaches are appropriate only for closed internal networks
> > where the configuration is controlled by a single administration.
> If I set up an open resolver using 7706, what negative repercussions do you
> see?

you'll need some name server features that aren't otherwise standardized, and maybe a 
patch or two. in my preferred approach, you just load a zone, because all of the special 
logic is outside of the name server and its configuration.

> > the misstatement is, dnssec's purpose is not defeated, because iana's
> > signatures are checked before the zone is accepted, and new signatures
> > are added using local keys before publication.
> Meaningless given you are explicitly editing the zone as published from and
> signed by the authority.

i hear you say meaningless, but i know that you know the difference between a name 
space and a zone that implements that namespace, and i know you've read my 
explainations about the importance of that distinction. it's not meaningless.

> You claim you aren't modifying the namespace
> content (well, except for the root NSes), ...

what is namespace content? i know namespaces, and i know zone content.

> but the point of DNSSEC and the
> rather Byzantine structures we've built around establishing trust is that
> we don't have to believe you: you can see _everything_ having to do with
> creating the trust anchor and everything down to the leaf.

that point is not lost. dig +trace +dnssec works as expected. transitive trust is a real thing: 
if i trust where i got the data, because i verified the signatures, and i trust my own keys 
and signatures, then trading one set of trust anchors and signatures for another lost me 
no root-to-leaf trust, in the eyes of my target audience, who is in the case of my laptop, 

> The only advantage(?) I see in your approach is that is allows (forces) you
> to play around with the namespace and re-sign.

it plays around with the zone content. not the namespace.

> Might be useful for neo maxi
> zoom DNSSEC nerd experimentation, however as mentioned previously, that
> doesn't strike me as something one might recommend lightheartedly.

note that since many enterprise networks do augment the iana namespace for internal 
use (creating problems like .home and .corp collisions), there is often a loss of dnssec 
integrity. my approach is one way to retain dnssec integrity in that situation, and has not 
been recommended lightheartedly.

> > for my many-vm's laptop environment, running on a loopback isn't a
> > solution.
> I strongly suspect you could come up with a solution that didn't use
> loopback but which also didn't require modifying the root zone, resigning
> it, and getting all relying devices to use both your NS hints and trust
> anchor. Like, perhaps running on a non-loopback address within your flock
> of laptop VMs?

i do run on a non-loopback address within my vm-local network. but unless i pirate the 
addresses of all the real root name servers (which i won't do), or re-sign the iana content 
with a local NS RRset and trust anchoe (which i am doing), then cache priming is going to 
cause my hints to be ignored by the other rdns servers local to me.

note that very few people will ever run multiple rdns servers inside a laptop. i am not 
suggesting that my use case is or will ever be common. but it works.

at a slightly broader scale, for instance my home network, it would also work. however, i'm 
using the yeti system here, so i can't experiment separately.

at enterprise scale, or metro or region or national scale, it would also work.

as you know i've suggested for some time now that iana build and sign a second root 
zone, having the same name space (which is regulated by icann and ietf) but having a 
different apex NS RRset (which i think can be regulated differently.) iana is in a perfect 
position to sign its zone using NS RR's and associated AAAA RR's that lead to addresses i 
*would* be willing to pirate. this is also called "the AS112 unowned anycast approach".

if i could slave an iana-signed zone on my laptop that already had pirateable IP addresses 
reached by hints and the apex NS RRset, i would not need Perl to do what i'm doing. and i 
would be using the iana trust anchor. and it would be a configuration that i would 
recommend for all internet users.

sadly, a lot of people saying that "the namespace and the zone are the same thing" has 
kept that door pretty well closed. so, here i am with Perl instead.

> >
> Saw that a year ago and still think it post-hoc rationalization and
> specious, but I'm sure that's just me.

i am also sure that it's just you, because those principles were documented by the yeti 
project before it served its first request.