[DNSSEC] Dealing with an inconsistent NSEC

Casey Deccio casey at deccio.net
Tue Oct 23 13:27:12 UTC 2012


On Tue, Oct 23, 2012 at 1:08 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr>wrote:

> It may be a bug in BIND and it is certainly a bug in the zone
> pcextreme.nl.
>
> BIND validating resolvers are unable to get the IP address of
> v1.pcextreme.nl.
>
> I believe this is because of the strange NSEC:
>
> tools-newerst.pcextreme.nl. 2315 IN     NSEC    v2.pcextreme.nl. AAAA
> RRSIG NSEC
>
> which says there is nothing between tools-newerst.pcextreme.nl and
> v2.pcextreme.nl (and therefore no v1).
>
> This is inconsistent since there are also A and AAAA records for
> v1.pcextreme.nl.
>
>
The issue here is that no delegation NS records exist for
v1.pcextreme.nlin its parent zone,
pcextreme.nl.  Thus when any server (authoritative for both zones) is
queried for v1.pcextreme.nl/DS, NXDOMAIN is returned because there are no
records by that name in the parent (no DS or NS).  Because BIND looks
upward for DS RRs after validating RRSIGs in v1.pcextreme.nl, it gets the
NXDOMAIN response, which changes the cache's understandingof
v1.pcextreme.nl--specifically that the name doesn't exist.  The results
from your resolver are reflecting that behavior.  unbound perhaps handles
authentication differently, e.g., top-down, so it doesn't ever perform the
DS query and thus never receives NXDOMAIN for the name.

See also the delegation warning at:
http://dnsviz.net/d/v1.pcextreme.nl/UIY0lg/dnssec/

Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20121023/eaa3bae7/attachment.html>


More information about the bind-users mailing list