[DNSSEC] Dealing with an inconsistent NSEC

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Oct 23 08:08:21 UTC 2012


It may be a bug in BIND and it is certainly a bug in the zone
pcextreme.nl.

BIND validating resolvers are unable to get the IP address of
v1.pcextreme.nl.

I believe this is because of the strange NSEC:

tools-newerst.pcextreme.nl. 2315 IN     NSEC    v2.pcextreme.nl. AAAA RRSIG NSEC

which says there is nothing between tools-newerst.pcextreme.nl and
v2.pcextreme.nl (and therefore no v1).

This is inconsistent since there are also A and AAAA records for
v1.pcextreme.nl.

I tested with a BIND and an Unbound, as well as with ODVR
<https://www.dns-oarc.net/oarc/services/odvr>. Apparently BIND always
fail and Unbound always succeed, probably because Unbound is happy
with the A record but BIND uses the (unvalidated, since there is no DS
in the parent) NSEC to disprove the domain name.

So, the zone signature system at pcextreme.nl seems broken. But is
BIND right to send back NXDOMAIN? RFC 4035, section 5.4 is not obvious
here.




More information about the bind-users mailing list