DNSSEC Bogus NXDOMAIN survives authenticating RR

Hauke Lampe list+bindusers at hauke-lampe.de
Tue Dec 8 14:18:49 UTC 2009

Niobos wrote:

> When requesting a lookup of "removed", I get a SERVFAIL as well. However, every subsequent request for "removed" gets an NXDOMAIN. (dig outputs below)
> Flushing the caches on the RR with "rndc flush" causes the first request to be a SERVFAIL again.

I cannot reproduce this behaviour with BIND 9.7.0b3. I get a SERVFAIL
for all lookups to changed/removed records.

Maybe you can try these with 9.6.1-P1:

dig +dnssec normal.fnord.dnstest.hauke-lampe.de
should return and the AD flag (if you use DLV with either
dlv.isc.org or dnssec.iks-jena.de).

dig +dnssec changed.fnord.dnstest.hauke-lampe.de
should return SERVFAIL and log "error (no valid RRSIG)" for the A record.

dig +dnssec removed.fnord.dnstest.hauke-lampe.de
should return SERVFAIL and log validation failures for the SOA as well
as the A record (because removing the record disrupted the NSEC3 chain).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20091208/201e5ea7/attachment.bin>

More information about the bind-users mailing list