DNSSEC Bogus NXDOMAIN survives authenticating RR
Hauke Lampe
list+bindusers at hauke-lampe.de
Tue Dec 8 19:25:29 UTC 2009
Niobos wrote:
> As soon as I activate DLV (besides the manual SEP I entered), the "removed" behaviour changes:
> * First lookup still returns SERVFAIL
> * Subsequent lookups now return NXDOMAIN with the AD flag *set*! (log confirms that my domain is not in the DLV and hence is insecure)
That is weird. I haven't seen that before and have no good explanation
at hand.
> Could you try this lookup?
> dig +dnssec removed.dnssec.dest-unreach.be
I see now what you mean.
Even though I have added your DNSKEY as trusted key, I get SERVFAIL on
the first query and NXDOMAIN on the second, without BIND doing any
additional outgoing queries.
One of your name servers returns unsigned NXDOMAIN responses with a
higher serial number than the master server:
| $ dig +dnssec removed.dnssec.dest-unreach.be @sdns1.ovh.net.
|
| ;; Got answer:
| ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 32510
| ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
| ;; WARNING: recursion requested but not available
|
| ;; OPT PSEUDOSECTION:
| ; EDNS: version: 0, flags: do; udp: 4096
| ;; QUESTION SECTION:
| ;removed.dnssec.dest-unreach.be. IN A
|
| ;; AUTHORITY SECTION:
| dest-unreach.be. 3600 IN SOA serv02.imset.org.
hostmaster.dest-unreach.be. 2009111619 3600 3600 604800 3600
serv02.imset.org returns a signed NXDOMAIN response with serial 2009081781.
That corresponds to BIND's error message:
| error (insecurity proof failed) resolving
'removed.dnssec.dest-unreach.be/A/IN': 213.251.188.140#53
> Could the problem be that the authenticating RR somehow considers this domain to be insecure when looking up "removed"?
That might well be the case, although I would expect BIND not to return
unsigned queries for names below a manually configured trust anchor.
Maybe others have an idea what's happening here and why BIND returns
NXDOMAIN responses.
Hauke.
More information about the bind-users
mailing list