DNSSEC Bogus NXDOMAIN survives authenticating RR
Hauke Lampe
list+bindusers at hauke-lampe.de
Tue Dec 8 14:18:49 UTC 2009
Niobos wrote:
> When requesting a lookup of "removed", I get a SERVFAIL as well. However, every subsequent request for "removed" gets an NXDOMAIN. (dig outputs below)
> Flushing the caches on the RR with "rndc flush" causes the first request to be a SERVFAIL again.
I cannot reproduce this behaviour with BIND 9.7.0b3. I get a SERVFAIL
for all lookups to changed/removed records.
Maybe you can try these with 9.6.1-P1:
dig +dnssec normal.fnord.dnstest.hauke-lampe.de
should return 127.0.0.1 and the AD flag (if you use DLV with either
dlv.isc.org or dnssec.iks-jena.de).
dig +dnssec changed.fnord.dnstest.hauke-lampe.de
should return SERVFAIL and log "error (no valid RRSIG)" for the A record.
dig +dnssec removed.fnord.dnstest.hauke-lampe.de
should return SERVFAIL and log validation failures for the SOA as well
as the A record (because removing the record disrupted the NSEC3 chain).
Hauke.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20091208/201e5ea7/attachment.bin>
More information about the bind-users
mailing list