[DNSSEC] Dealing with an inconsistent NSEC
Warren Kumari
warren at kumari.net
Tue Oct 23 14:22:29 UTC 2012
On Oct 23, 2012, at 4:08 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> It may be a bug in BIND and it is certainly a bug in the zone
> pcextreme.nl.
>
> BIND validating resolvers are unable to get the IP address of
> v1.pcextreme.nl.
>
> I believe this is because of the strange NSEC:
>
> tools-newerst.pcextreme.nl. 2315 IN NSEC v2.pcextreme.nl. AAAA RRSIG NSEC
>
> which says there is nothing between tools-newerst.pcextreme.nl and
> v2.pcextreme.nl (and therefore no v1).
>
> This is inconsistent since there are also A and AAAA records for
> v1.pcextreme.nl.
>
> I tested with a BIND and an Unbound, as well as with ODVR
> <https://www.dns-oarc.net/oarc/services/odvr>. Apparently BIND always
> fail and Unbound always succeed, probably because Unbound is happy
> with the A record but BIND uses the (unvalidated, since there is no DS
> in the parent) NSEC to disprove the domain name.
>
> So, the zone signature system at pcextreme.nl seems broken.
So, we seem to see a fair number of distinctly "odd" DNSSEC zones -- what I'm wondering is how / why.
Presumably the operators of pcextreme.nl. didn't sign their zone by hand ("All them sums are hard!"), so how does this actually happen?
1: They rolled their own signer?
2: they are using something well known that happened to fail in some odd way?
3: they cut-n-pated the signed rrset from another signed zonefile, not realizing that nsec makes a hole?
My guess is on #3, what do others think?
W
> But is
> BIND right to send back NXDOMAIN? RFC 4035, section 5.4 is not obvious
> here.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
"I think it would be a good idea."
- Mahatma Ghandi, when asked what he thought of Western civilization
More information about the bind-users
mailing list