DNSSEC Bogus NXDOMAIN survives authenticating RR

Hauke Lampe list+bindusers at hauke-lampe.de
Tue Dec 8 19:25:29 UTC 2009

Niobos wrote:

> As soon as I activate DLV (besides the manual SEP I entered), the "removed" behaviour changes:
> * First lookup still returns SERVFAIL
> * Subsequent lookups now return NXDOMAIN with the AD flag *set*! (log confirms that my domain is not in the DLV and hence is insecure)

That is weird. I haven't seen that before and have no good explanation
at hand.

> Could you try this lookup?
> dig +dnssec removed.dnssec.dest-unreach.be

I see now what you mean.

Even though I have added your DNSKEY as trusted key, I get SERVFAIL on
the first query and NXDOMAIN on the second, without BIND doing any
additional outgoing queries.

One of your name servers returns unsigned NXDOMAIN responses with a
higher serial number than the master server:

| $ dig +dnssec removed.dnssec.dest-unreach.be @sdns1.ovh.net.
| ;; Got answer:
| ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 32510
| ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
| ;; WARNING: recursion requested but not available
| ; EDNS: version: 0, flags: do; udp: 4096
| ;removed.dnssec.dest-unreach.be.	IN	A
| dest-unreach.be.	3600	IN	SOA	serv02.imset.org.
hostmaster.dest-unreach.be. 2009111619 3600 3600 604800 3600

serv02.imset.org returns a signed NXDOMAIN response with serial 2009081781.

That corresponds to BIND's error message:

| error (insecurity proof failed) resolving

> Could the problem be that the authenticating RR somehow considers this domain to be insecure when looking up "removed"?

That might well be the case, although I would expect BIND not to return
unsigned queries for names below a manually configured trust anchor.

Maybe others have an idea what's happening here and why BIND returns
NXDOMAIN responses.


More information about the bind-users mailing list