Wrong NSEC3 for wildcard cname
Graham Clinch
g.clinch at lancaster.ac.uk
Wed Nov 19 16:59:10 UTC 2014
How embarrassing when you can't even tell the difference between DNS and
DHCP!
:(
Graham
On 19/11/2014 16:55, Graham Clinch wrote:
> Hello list,
>
> Using bind 9.9.5 with inline-signing, I have a test wildcard cname
> record in two zones:
>
> *.cnametest.lancs.ac.uk CNAME www.lancs.ac.uk
> *.cnametest.palatine.ac.uk CNAME www.palatine.ac.uk
>
> dnsviz is showing the error
> "NSEC3 proving non-existence of foo.cnametest.lancs.ac.uk./CNAME:
> QNAME_NOT_COVERED"
> for the lancs.ac.uk version (but the palatine.ac.uk version is fine).
>
> According to delv, both are fully validated, but the palatine output has
> one extra line:
>
> ;; validating foo.cnametest.palatine.ac.uk/A: NSEC3 at super-domain
> cnametest.palatine.ac.uk
>
>
>
> I can see a discrepancy in the NSEC3 records in the Authority section:
>
> For palatine.ac.uk:
>
> AEP7P2GGD4GEBNRMSBP4I97SU0MKR5R9.palatine.ac.uk. 3600 IN NSEC3 1 0 10
> BB1150B39E44B92F E92VAEN6BQ1T2N54AA2RSA1V49RM394S
>
> (AEP... is the hash of cnametest.palatine.ac.uk)
>
>
> For lancs.ac.uk:
>
> RA9FSQ8NSK36A6568UHF8L26UFV2B1PG.lancs.ac.uk. 3600 IN NSEC3 1 0 10
> 9B6EFFBA177399A0 RA9V2QS7NE6Q5VLKU2EF4QONHP5CGIJR A RRSIG
>
> (RA9... isn't the hash of cnametest.lancs.ac.uk, and it's claiming there
> are A and RRSIG records!?).
>
> Both cnametest records were added today, so the signature inception time
> of the lancs.ac.uk NSEC3's RRSIG being yesterday (20141118125729), is
> very odd...
>
> What's going on? Both zones are being signed by the same instance of
> bind and there are no interesting log messages.
>
> Thanks,
>
> Graham
>
--
Graham Clinch
Systems Programmer,
Lancaster University
More information about the dhcp-users
mailing list