[DNSSEC] Dealing with an inconsistent NSEC

Warren Kumari warren at kumari.net
Tue Oct 23 14:22:29 UTC 2012


On Oct 23, 2012, at 4:08 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:

> It may be a bug in BIND and it is certainly a bug in the zone
> pcextreme.nl.
> 
> BIND validating resolvers are unable to get the IP address of
> v1.pcextreme.nl.
> 
> I believe this is because of the strange NSEC:
> 
> tools-newerst.pcextreme.nl. 2315 IN     NSEC    v2.pcextreme.nl. AAAA RRSIG NSEC
> 
> which says there is nothing between tools-newerst.pcextreme.nl and
> v2.pcextreme.nl (and therefore no v1).
> 
> This is inconsistent since there are also A and AAAA records for
> v1.pcextreme.nl.
> 
> I tested with a BIND and an Unbound, as well as with ODVR
> <https://www.dns-oarc.net/oarc/services/odvr>. Apparently BIND always
> fail and Unbound always succeed, probably because Unbound is happy
> with the A record but BIND uses the (unvalidated, since there is no DS
> in the parent) NSEC to disprove the domain name.
> 
> So, the zone signature system at pcextreme.nl seems broken.

So, we seem to see a fair number of distinctly "odd" DNSSEC zones -- what I'm wondering is how / why.

Presumably the operators of pcextreme.nl. didn't sign their zone by hand ("All them sums are hard!"), so how does this actually happen?
1: They rolled their own signer?
2: they are using something well known that happened to fail in some odd way?
3: they cut-n-pated the signed rrset from another signed zonefile, not realizing that nsec makes a hole?

My guess is on #3, what do others think?

W


> But is
> BIND right to send back NXDOMAIN? RFC 4035, section 5.4 is not obvious
> here.
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

-- 
"I think it would be a good idea." 
- Mahatma Ghandi, when asked what he thought of Western civilization






More information about the bind-users mailing list