Wrong NSEC3 for wildcard cname

Graham Clinch g.clinch at lancaster.ac.uk
Wed Nov 19 16:55:12 UTC 2014


Hello list,

Using bind 9.9.5 with inline-signing, I have a test wildcard cname
record in two zones:

*.cnametest.lancs.ac.uk CNAME www.lancs.ac.uk
*.cnametest.palatine.ac.uk CNAME www.palatine.ac.uk

dnsviz is showing the error
"NSEC3 proving non-existence of foo.cnametest.lancs.ac.uk./CNAME:
QNAME_NOT_COVERED"
for the lancs.ac.uk version (but the palatine.ac.uk version is fine).

According to delv, both are fully validated, but the palatine output has
one extra line:

;; validating foo.cnametest.palatine.ac.uk/A: NSEC3 at super-domain
cnametest.palatine.ac.uk



I can see a discrepancy in the NSEC3 records in the Authority section:

For palatine.ac.uk:

AEP7P2GGD4GEBNRMSBP4I97SU0MKR5R9.palatine.ac.uk. 3600 IN NSEC3 1 0 10
BB1150B39E44B92F E92VAEN6BQ1T2N54AA2RSA1V49RM394S

(AEP... is the hash of cnametest.palatine.ac.uk)


For lancs.ac.uk:

RA9FSQ8NSK36A6568UHF8L26UFV2B1PG.lancs.ac.uk. 3600 IN NSEC3 1 0 10
9B6EFFBA177399A0 RA9V2QS7NE6Q5VLKU2EF4QONHP5CGIJR A RRSIG

(RA9... isn't the hash of cnametest.lancs.ac.uk, and it's claiming there
are A and RRSIG records!?).

Both cnametest records were added today, so the signature inception time
of the lancs.ac.uk NSEC3's RRSIG being yesterday (20141118125729), is
very odd...

What's going on?  Both zones are being signed by the same instance of
bind and there are no interesting log messages.

Thanks,

Graham

-- 
Graham Clinch
Systems Programmer,
Lancaster University


More information about the dhcp-users mailing list