DNSSEC Bogus NXDOMAIN survives authenticating RR

Niobos niobos at dest-unreach.be
Wed Dec 9 08:40:38 UTC 2009


>> Could you try this lookup?
>> dig +dnssec removed.dnssec.dest-unreach.be
> 
> I see now what you mean.
> 
> Even though I have added your DNSKEY as trusted key, I get SERVFAIL on
> the first query and NXDOMAIN on the second, without BIND doing any
> additional outgoing queries.
This is the same behavior I'm observing.

> One of your name servers returns unsigned NXDOMAIN responses with a
> higher serial number than the master server:
I didn't configure the zone by the book; I corrected that now, but the results remain the same.

> serv02.imset.org returns a signed NXDOMAIN response with serial 2009081781.
> 
> That corresponds to BIND's error message:
> 
> | error (insecurity proof failed) resolving
> 'removed.dnssec.dest-unreach.be/A/IN': 213.251.188.140#53
The response is indeed signed, but the signature should *fail* validation, since there is no covering NSEC3 for the looked-up record.
Do I understand the error correctly like this: BIND failed to prove the domain to be insecure, hence, the NXDOMAIN response should have a correct signature, hence, the response it got is bogus?

>> Could the problem be that the authenticating RR somehow considers this domain to be insecure when looking up "removed"?
> 
> That might well be the case, although I would expect BIND not to return
> unsigned queries for names below a manually configured trust anchor.
I removed DLV-validation and manually added your KSK DNSKEY as a SEP, without change in behavior: removed.fnord.dnstest.hauke-lampe.de keeps returning SERVFAIL (as it should).
It seems that my resolver is configured identical for both my and your domain; so it's possibly some difference in the served zone that causes this behaviour.
What did you change for the "removed" record? Did you remove only the A and RRSIG? Or also the corresponding NSEC3?
In attachement my full (signed) zone-file. It's a test-zone anyway, so I don't think this is a security issue.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dnssec.dest-unreach.be.zone.signed
Type: application/octet-stream
Size: 4957 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20091209/cfebba11/attachment.obj>
-------------- next part --------------


> Maybe others have an idea what's happening here and why BIND returns
> NXDOMAIN responses.


More information about the bind-users mailing list