Aims

To prepare for the first workshop by identifying issues in the test software and test plan.

Attendees

Ben Laurie (Nominet)
David Blacka (Verisign)
Geoff Sisson (Nominet)
Matt Larson (Verisign)
Peter Koch (DENIC)
Roy Arends (Nominet)

Results

Open Issues in NSEC3 I-D (-04)

  • Closest encloser proof could be clearer
  • Verification of NODATA/NOERROR missing (matching QNAME, no QTYPE)
  • Verification of NODATA/NOERROR missing (matching wildcard, no QTYPE)
  • Generation and verification of positive wildcard response missing
  • NSEC3 bit should not be set in NSEC3 records unless an NSEC3 record exists at the original ownername (rationale: all type bits apply to the original ownername)
  • NSEC3 records with unknown hash types should be ignored. If no hash types are known to the resolver are present then the response should be treated as unsigned (rationale: hash type rollover should not prevent resolution in old resolvers)

Software Problems

  • Modified BIND 9 dig thinks all NSEC3s are valid, whether they are or not
  • Unlikely to be code complete in BIND authoritative server by workshop 1 (resolution: use Roy's Perl tool, prioritise NSD patches)
  • Issues in Unbound (resolution: David will fix)
  • Wildcard positive and NODATA responses not correctly validated
  • Validator sometimes doesn't return SERVFAIL even if the answer is known to be bogus

Test Plan

Components For Workshop 1

Validating Resolvers

  • Unbound
  • dig (tentative)

Authoritative Servers

  • Packet Server (Roy)
  • Patched NSD

Signers

  • pdnssec-signzone (Packet Server)
  • jdnssec-signzone (Unbound)
  • dnssec-signzone (BIND) (tentative)