[Pdns-dev] Auth server 3.0.1 not handling DS queries properly
Ask Bjørn Hansen
ask at develooper.com
Sat Feb 25 09:52:03 CET 2012
On Feb 24, 2012, at 5:52, Peter van Dijk wrote:
>> This renders insecure delegations bogus. Unless I'm overlooking
>> something here, this needs to be fixed ASAP.
> In addition to my previous mail, the other user sent me the attached patch. I am not entirely sure it is correct, but it may help in your situation. It consists of two hunks; the first hunk looks good to me; I'm unsure about the second.
I tried applying the patch to one of my NS'es; it doesn't seem to set the aa flag still. The only difference (I could spot) from 3.0.1 is that the NS records are not included when querying for the DS (I'm guessing that's an improvement).
I couldn't get the bootstrap stuff to generate a proper configure file, so I used the pdns-3.1-pre.20120219.2415 snapshot (plus the patch you sent).
$ dig +norec +dnssec -t ds l.develooper.org @126.96.36.199
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5 <<>> +norec +dnssec -t ds l.develooper.org @188.8.131.52
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51399
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 2800
;; QUESTION SECTION:
;l.develooper.org. IN DS
;; AUTHORITY SECTION:
l.develooper.org. 172800 IN NSEC www.develooper.org. NS RRSIG NSEC
l.develooper.org. 172800 IN RRSIG NSEC 8 3 172800 20120308000000 20120223000000 50380 develooper.org. Njz+JFzFm5X3aWxqYIllrQE3SdzxzS/9pwHo5npsjWT5J7pIDoRSc4Pw efxXNDR++yrnqlT3AuWWq3gkUM9YYYf72kxOGgaOmUUbGCWQrulcakS2 TZIV+uKz5RfnGgsEisWBlnATCLylZsRQJ2mZI0SGV3N2IbryVeuokZmV 6w8=
;; Query time: 86 msec
;; SERVER: 184.108.40.206#53(220.127.116.11)
;; WHEN: Sat Feb 25 00:48:46 2012
;; MSG SIZE rcvd: 259
More information about the Pdns-dev