[DNSSEC] Dealing with an inconsistent NSEC

Casey Deccio casey at deccio.net
Tue Oct 23 15:19:02 UTC 2012


On Tue, Oct 23, 2012 at 6:36 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr>wrote:

> On Tue, Oct 23, 2012 at 06:27:12AM -0700,
>  Casey Deccio <casey at deccio.net> wrote
>  a message of 88 lines which said:
>
> > The issue here is that no delegation NS records exist for
> > v1.pcextreme.nlin its parent zone, pcextreme.nl.  Thus when any
> > server (authoritative for both zones) is queried for
> > v1.pcextreme.nl/DS, NXDOMAIN is returned because there are no
> > records by that name in the parent (no DS or NS).
>
> But it should reply NOERROR,DATA=0, no NXDOMAIN. Indeed,
> pcextreme.nl's name servers reply NXDOMAIN for DS queries but not for
> other QTYPES.
>
> So, no bug in BIND and Unbound, only in the zone?
>

Yes.  Prior to DNSSEC, it used to be that if all servers authoritative for
a parent were also authoritative for the delegated child, then they could
get away with not having any delegation records in the parent.  With DNSSEC
this omission causes these NXDOMAIN issues with validating resolvers when
child is signed and parent has no DS.

Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20121023/ac0f3b1f/attachment.html>


More information about the bind-users mailing list