[Discuss] DNSSEC

Derek Atkins warlord at MIT.EDU
Sun Dec 7 15:00:18 EST 2014


"Edward Ned Harvey (blu)" <blu at nedharvey.com> writes:

> In short, the question is:
>
> What is the behavior of an old dns caching server, when it receives a
> client query for record types that it is too old to understand?  Is it
> able to dumbly relay that query upstream, and dumbly relay the
> response back?
>
> The answer to this question essentially determines whether or not
> DNSSEC is broken.

The answer is "it depends on the caching server", however in my hasty
tests it looks like servers even as old as 2009 (e.g. Bind 9.6.1)
support DNSSEC pass through.  E.g.:

  dig @old-server verisignlabs.com +dnssec

gives me RRSIG results.  This is as it should be.

Obviously YMMV, but DNS is designed so that a caching server does not
need to fully understand the contents of RRs in order to request, cache,
or serve them.  However there are some specific DNSSEC processing
requirements, so very old DNSSEC-unaware caching servers may not
properly send RRSIGs in the authority section properly.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available



More information about the Discuss mailing list