Wrong NSEC3 for wildcard cname

Graham Clinch g.clinch at lancaster.ac.uk
Wed Nov 19 16:59:10 UTC 2014


How embarrassing when you can't even tell the difference between DNS and
DHCP!

:(

Graham

On 19/11/2014 16:55, Graham Clinch wrote:
> Hello list,
> 
> Using bind 9.9.5 with inline-signing, I have a test wildcard cname
> record in two zones:
> 
> *.cnametest.lancs.ac.uk CNAME www.lancs.ac.uk
> *.cnametest.palatine.ac.uk CNAME www.palatine.ac.uk
> 
> dnsviz is showing the error
> "NSEC3 proving non-existence of foo.cnametest.lancs.ac.uk./CNAME:
> QNAME_NOT_COVERED"
> for the lancs.ac.uk version (but the palatine.ac.uk version is fine).
> 
> According to delv, both are fully validated, but the palatine output has
> one extra line:
> 
> ;; validating foo.cnametest.palatine.ac.uk/A: NSEC3 at super-domain
> cnametest.palatine.ac.uk
> 
> 
> 
> I can see a discrepancy in the NSEC3 records in the Authority section:
> 
> For palatine.ac.uk:
> 
> AEP7P2GGD4GEBNRMSBP4I97SU0MKR5R9.palatine.ac.uk. 3600 IN NSEC3 1 0 10
> BB1150B39E44B92F E92VAEN6BQ1T2N54AA2RSA1V49RM394S
> 
> (AEP... is the hash of cnametest.palatine.ac.uk)
> 
> 
> For lancs.ac.uk:
> 
> RA9FSQ8NSK36A6568UHF8L26UFV2B1PG.lancs.ac.uk. 3600 IN NSEC3 1 0 10
> 9B6EFFBA177399A0 RA9V2QS7NE6Q5VLKU2EF4QONHP5CGIJR A RRSIG
> 
> (RA9... isn't the hash of cnametest.lancs.ac.uk, and it's claiming there
> are A and RRSIG records!?).
> 
> Both cnametest records were added today, so the signature inception time
> of the lancs.ac.uk NSEC3's RRSIG being yesterday (20141118125729), is
> very odd...
> 
> What's going on?  Both zones are being signed by the same instance of
> bind and there are no interesting log messages.
> 
> Thanks,
> 
> Graham
> 


-- 
Graham Clinch
Systems Programmer,
Lancaster University


More information about the dhcp-users mailing list