Wrong NSEC3 for wildcard cname

Casey Deccio casey at deccio.net
Wed Nov 19 21:38:23 UTC 2014 

Hi Graham,

On Wed, Nov 19, 2014 at 11:59 AM, Graham Clinch <g.clinch at lancaster.ac.uk>
wrote:

> Using bind 9.9.5 with inline-signing, I have a test wildcard cname
> record in two zones:
>
> *.cnametest.lancs.ac.uk CNAME www.lancs.ac.uk
> *.cnametest.palatine.ac.uk CNAME www.palatine.ac.uk
>
> dnsviz is showing the error
> "NSEC3 proving non-existence of foo.cnametest.lancs.ac.uk./CNAME:
> QNAME_NOT_COVERED"
> for the lancs.ac.uk version (but the palatine.ac.uk version is fine).
>
>
My apologies - this was actually a bug in DNSViz.  The NSEC3 computation
was being performed on the wrong name (the wrong origin was being
applied).  It should be fixed now, as shown in:

http://dnsviz.net/d/foo.cnametest.lancs.ac.uk/VGzlkA/dnssec/
http://dnsviz.net/d/foo.cnametest.palatine.ac.uk/VGzrqg/dnssec/


> ...
> For palatine.ac.uk:
>
> AEP7P2GGD4GEBNRMSBP4I97SU0MKR5R9.palatine.ac.uk. 3600 IN NSEC3 1 0 10
> BB1150B39E44B92F E92VAEN6BQ1T2N54AA2RSA1V49RM394S
>
> (AEP... is the hash of cnametest.palatine.ac.uk)
>
>
Yes, but more importantly it happens to be the owner name of the NSEC3
record that covers the NSEC3 hash of the next closest encloser (
foo.cnametest.palatine.ac.uk, whose hash starts with E8T9...).  The fact
that it also matches the NSEC3 hash of the closest encloser (
cnametest.palatine.ac.uk) is coincidental (and also probabilistic,
depending on the size of the zone).


>
> For lancs.ac.uk:
>
> RA9FSQ8NSK36A6568UHF8L26UFV2B1PG.lancs.ac.uk. 3600 IN NSEC3 1 0 10
> 9B6EFFBA177399A0 RA9V2QS7NE6Q5VLKU2EF4QONHP5CGIJR A RRSIG
>
> (RA9... isn't the hash of cnametest.lancs.ac.uk, and it's claiming there
> are A and RRSIG records!?).
>

Correct - this is the hash of some other record, the record that covers the
hash of the next closest encloser (foo.cnametest.lancs.ac.uk).  The hash of
the closest encloser is not necessary as this is for a wildcard response,
and the closest encloser (cnametest.lancs.ac.uk) can be inferred from the
labels field in the RRSIG.  In this case, the number of labels (i.e., in
the RRSIG) is 4, so the closest encloser is cnametest.lancs.ac.uk.


>
> Both cnametest records were added today, so the signature inception time
> of the lancs.ac.uk NSEC3's RRSIG being yesterday (20141118125729), is
> very odd...
>

Again, the NSEC3 in question corresponds to some other (most likely)
preexisting name, so it is not surprising that the inception date on its
RRSIG is older than today.


>
> What's going on?  Both zones are being signed by the same instance of
> bind and there are no interesting log messages.
>

Hope that helps.

Cheers,
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20141119/2c187f5a/attachment.html>

More information about the bind-users mailing list