IETF Logo Mail Archive

Re: [DNSOP] How Slack didn't turn on DNSSEC

"libor.peltan" <libor.peltan@nic.cz> Wed, 01 December 2021 10:59 UTC

Return-Path: <libor.peltan@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A69A73A003B for <dnsop@ietfa.amsl.com>; Wed, 1 Dec 2021 02:59:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.951
X-Spam-Level:
X-Spam-Status: No, score=-3.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.852, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zkon6TBw11me for <dnsop@ietfa.amsl.com>; Wed, 1 Dec 2021 02:59:21 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1ABC3A0038 for <dnsop@ietf.org>; Wed, 1 Dec 2021 02:59:20 -0800 (PST)
Received: from [IPV6:2001:1488:fffe:6:22e0:803a:d288:4a7a] (unknown [IPv6:2001:1488:fffe:6:22e0:803a:d288:4a7a]) by mail.nic.cz (Postfix) with ESMTPSA id 9C327140647; Wed, 1 Dec 2021 11:59:17 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1638356357; bh=7gJhNvfv4EogdxyxI26K6As99YaqK5QGenhbuJ/kJUo=; h=Date:To:From; b=Vb4kBxJkHZgajT/KEWH0uf+NmySVfCLX2sjpUiIGfuaCq4aH8Cyb2D0lZkqaxZnaq OZ4I3meMApxY25r/Kc2b5nZB/RTjsdN+CmYidSJooDDXjg4w0kBSoRcwyrMLxrjGfq eg6UQFkuZy7JaY0++askzf9kGfoN+MlAPpHTwZHk=
Message-ID: <e571a533-98f1-4a55-dcbf-9e5f3c9e39d7@nic.cz>
Date: Wed, 01 Dec 2021 11:59:17 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.3.1
Content-Language: en-US
To: Philip Homburg <pch-dnsop-4@u-1.phicoh.com>, dnsop@ietf.org
References: <m1msK9b-0000HrC@stereo.hq.phicoh.net> <C3D5AC3A-CA5A-4F33-8BDA-DDFADD23649C@isc.org> <m1msN8S-0000HPC@stereo.hq.phicoh.net>
From: "libor.peltan" <libor.peltan@nic.cz>
In-Reply-To: <m1msN8S-0000HPC@stereo.hq.phicoh.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.102.4 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/H0dJ9X7oZb21uq9-cXQeSWIk3WI>
Subject: Re: [DNSOP] How Slack didn't turn on DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2021 10:59:27 -0000

Hi Philip,

Dne 01. 12. 21 v 11:46 Philip Homburg napsal(a):
>
> qqq.slackexperts.com.   2370    IN      NSEC    \000.qqq.slackexperts.com. RRSIG NSEC
>
> This is returned in response to a AAAA query. The intent was that the NSEC
> record should have the 'A' bit as well.
>
> What exactly do Knot and Unbound ignore in this case?
>
they do not ignore the record when processing the answer.

What they don't is to store this NSEC record in their cache and use it 
for crafting other negative responses for subsequent queries without 
re-querying the authoritative server.

Libor

v2.23.0 | Report a Bug | By Email