Insecurity proof failed resolving newsletter.postbank.de - but why?

Graham Clinch g.clinch at lancaster.ac.uk
Mon Jan 20 17:46:30 UTC 2014


Hi List (& Chris & Tony),

> What *does* matter is that the NSEC3 "proves" that there are no NS
> records as well (as no DS ones) for newsletter.postbank.de (despite
> the fact that the NS records are included in the referral). Note the
> absence of opt-out in the NSEC3.

Thanks for the replies - and noticing the missing 'NS'!

 From my rather brain-busting afternoon reading, I believe this 
situation is covered by section 4.4 of RFC 6840, which requires a 
validator to ensure the NS type bit is set for an insecure delegation's 
NSEC(3) (or that it's covered by opt-out, but as Chris pointed out, that 
doesn't seem to be the case here).

I've left feedback for the dnsviz maintainer in the hopes that this case 
can be picked up in future.

Graham

-- 
Graham Clinch
Systems Programmer,
Lancaster University


More information about the bind-users mailing list