On Fri, Sep 05, 2014 at 09:55:45PM +0000, Viktor Dukhovni wrote: > On Sat, Sep 06, 2014 at 07:39:34AM +1000, Mark Andrews wrote: > > > The problem is the wildcard and the broken wildcard processing, not > > the CNAME. The rcode is wrong as a result, NOERROR != NXDOMAIN. > > Yes, that's it, as I eventually also figured out...
The DNS server in question is djbdns. Corrected wildcard processing may be available at <http://www.tinydnssec.org/>, but I've not tested that software or looked at it in any detail beyond the claim in the list of improvements that the issue is resolved: The interpretation of wildcard records now matches the description in RFC-1034 section 4.3.3. Specifically, if there's a wildcard *.x and a record for a.x, then a query for y.a.x will not be answered using the wildcard (for a label 'a' and series of labels 'x' and 'y'). This change is required for signed domains, because authentication of negative responses requires a common understanding between client and server about the meaning of wildcards. There is an important note about running that software as a secondary: Be careful with publishing signed zones as a secondary nameserver: the modified tinydns/axfrdns require certain helper RRs in the database to simplify locating NSEC3 records. Without these helpers, tinydns cannot generate valid negative response nor valid wildcard responses. -- Viktor. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
