Is BIND9 DNSSEC validation too strict?
Tony Finch
dot at dotat.at
Tue Oct 11 10:41:36 UTC 2016
Daniel Stirnimann <daniel.stirnimann at switch.ch> wrote:
>
> BIND9 (and not Unbound, PowerDNS Recursor, Google Public DNS) is failing
> to validate the following non-existent domain name:
>
> dig @184.105.193.73 ABCD._openpgpkey.posteo.de A +dnssec
>
> I believe, the reason for the validation error for the above domain name
> is because of an obsolete NSEC3 record from the authoritative name
> server of _openpgpkey.posteo.de:
; <<>> DiG 9.11.0 <<>> @185.67.36.41 ABCD._openpgpkey.posteo.de ANY +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38275
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;ABCD._openpgpkey.posteo.de. IN ANY
;; AUTHORITY SECTION:
_openpgpkey.posteo.de. 300 IN SOA ns01a.posteo-dns.de. hostmaster.posteo.de. (
1476148232 ; serial
7200 ; refresh (2 hours)
1800 ; retry (30 minutes)
3542400 ; expire (5 weeks 6 days)
3600 ; minimum (1 hour)
)
_openpgpkey.posteo.de. 300 IN RRSIG SOA 8 3 300 (
20161020000000 20160929000000 39156 _openpgpkey.posteo.de.
[snip]
O/81Hu6L3iSwDGHCQc53lh259l+uOCiIzg== )
4aibkdjvtss07hsoloi1fslaf8p9uo5p._openpgpkey.posteo.de. 3600 IN NSEC3 1 0 250 1163B90DC54B41E0 (
U8Q7VA83M9L20BMQQS8DMRS75CC5B6C2
NS SOA RRSIG DNSKEY NSEC3PARAM )
4aibkdjvtss07hsoloi1fslaf8p9uo5p._openpgpkey.posteo.de. 3600 IN RRSIG NSEC3 8 4 3600 (
20161020000000 20160929000000 39156 _openpgpkey.posteo.de.
[snip]
SJKLBlYTAW57+0xCea5MTxAkD016j4Nl/g== )
u8q7va83m9l20bmqqs8dmrs75cc5b6c2._openpgpkey.posteo.de. 3600 IN NSEC3 1 0 250 1163B90DC54B41E0 (
U8Q7VA83M9L20BMQQS8DMRS75CC5B6C2
NS SOA RRSIG DNSKEY NSEC3PARAM )
u8q7va83m9l20bmqqs8dmrs75cc5b6c2._openpgpkey.posteo.de. 3600 IN RRSIG NSEC3 8 4 3600 (
20161020000000 20160929000000 39156 _openpgpkey.posteo.de.
[snip]
ahtefz6CJnedpVfxq4ohWAyhXf6Zho+OjA== )
;; Query time: 32 msec
;; SERVER: 185.67.36.41#53(185.67.36.41)
;; WHEN: Tue Oct 11 10:38:08 BST 2016
;; MSG SIZE rcvd: 1222
> The last NSEC3 records seems rather strange to me:
u8q7va83m9l20bmqqs8dmrs75cc5b6c2 -> U8Q7VA83M9L20BMQQS8DMRS75CC5B6C2
NS SOA RRSIG DNSKEY NSEC3PARAM
> That looks like a loop! Apart from that, the first NSEC3 record already
> proofed that the domain does not exist.
Yes, very weird. It looks like an NSEC3 record for an empty zone, apex
records only, but the hash doesn't match the zone name. I can't work out
what the hash comes from!
$ NSEC3 1 0 250 1163B90DC54B41E0 ABCD._openpgpkey.posteo.de.
ABCD._openpgpkey.posteo.de. NSEC3 1 0 250 1163B90DC54B41E0 S58U69L2TI0H5Q6KJFQ7H479Q7P70SOF
$ NSEC3 1 0 250 1163B90DC54B41E0 *._openpgpkey.posteo.de.
*._openpgpkey.posteo.de. NSEC3 1 0 250 1163B90DC54B41E0 4BJN0390O6FFC1LSNT14P4GS28UP8NHF
$ NSEC3 1 0 250 1163B90DC54B41E0 _openpgpkey.posteo.de.
_openpgpkey.posteo.de. NSEC3 1 0 250 1163B90DC54B41E0 4AIBKDJVTSS07HSOLOI1FSLAF8P9UO5P
Because the hash U8Q... doesn't match the zone apex name, it denies the
existence of the zone apex as well as the rest of the zone!
> I'm not entirely sure this is the reason BIND9 fails to validate this
> record. However, given that other recursive name server resolve this
> domain name I'm wondering if BIND9 is too strictly validating?
No futher insights here, I'm afraid...
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Fair Isle, Faeroes: East or southeast 3 or 4, increasing 5 at times. Slight or
moderate, occasionally rough later in west Faeroes. Showers. Good.
More information about the bind-users
mailing list