Hi Matt,
Could you please send me the zone file?
Thanks!
On 3/14/24 20:20, Matthew Pounsett wrote:
I got a report of an NSEC error from someone who tried to connect to a mistyped hostname. I've done a bit of poking, and it looks like we're seeing a missing wildcard NSEC for domain names that are
two subdomains down from the apex, but not for subdomains of the apex. Though, I admit I can't see the problem myself. Querying by hand I see what looks like an identical response, but resolvers and
DNSViz report problems with the deeper name.
For example, nonexistent.dns-oarc.net <http://nonexistent.dns-oarc.net> and nonexistent.sjc.dns-oarc.net <http://nonexistent.sjc.dns-oarc.net> (sjc.dns-oarc.net <http://sjc.dns-oarc.net> is a real
subdomain with hosts in it, not an ENT)... kdig output and DNSViz results below.
We're running knot/unknown,now 3.3.5-cznic.1~bullseye from deb.knot-dns.cz
<http://deb.knot-dns.cz>, and this is the relevant policy statement for the
zone:
policy:
- id: ecdsa
algorithm: ecdsap256sha256
ksk-lifetime: 365d
ksk-submission: parent_zone_sbm
zsk-lifetime: 30d
rrsig-lifetime: 14d
rrsig-refresh: 7d
We are mid-KSK-roll, waiting on the DS submission check.
Have I misconfigured something here, or is there a signing bug, or is this
something else?
Thanks!
Matt
---
nonexistent.sjc.dns-oarc.net <http://nonexistent.sjc.dns-oarc.net>: DNSviz
reports this is fine.
<https://dnsviz.net/d/nonexistent.dns-oarc.net/ZfNH1w/dnssec/
<https://dnsviz.net/d/nonexistent.dns-oarc.net/ZfNH1w/dnssec/>>
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 9380
;; Flags: qr aa; QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; nonexistent.dns-oarc.net <http://nonexistent.dns-oarc.net>. IN A
;; AUTHORITY SECTION:
dns-oarc.net <http://dns-oarc.net>. 3600 IN SOA ns1.dns-oarc.net
<http://ns1.dns-oarc.net>. hostmaster.dns-oarc.net <http://hostmaster.dns-oarc.net>.
2024031400 300 60 604800 3600
nfsen.dns-oarc.net <http://nfsen.dns-oarc.net>. 3600 IN NSEC ns.dns-oarc.net
<http://ns.dns-oarc.net>. A AAAA RRSIG NSEC
dns-oarc.net <http://dns-oarc.net>. 3600 IN NSEC fs1.10g.dns-oarc.net
<http://fs1.10g.dns-oarc.net>. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY CDS CDNSKEY CAA
dns-oarc.net <http://dns-oarc.net>. 3600 IN RRSIG SOA 13 2 14400 20240328021935
20240314004935 6048 dns-oarc.net <http://dns-oarc.net>. [omitted]
nfsen.dns-oarc.net <http://nfsen.dns-oarc.net>. 3600 IN RRSIG NSEC 13 3 3600
20240326215132 20240312202132 6048 dns-oarc.net <http://dns-oarc.net>. [omitted]
dns-oarc.net <http://dns-oarc.net>. 3600 IN RRSIG NSEC 13 2 3600 20240322045130
20240308032130 6048 dns-oarc.net <http://dns-oarc.net>. [omitted]
;; Received 518 B
;; Time 2024-03-14 18:57:33 UTC
;; From 64.191.0.128@53(UDP) in 0.3 ms
nonexistent.sjc.dns-oarc.net <http://nonexistent.sjc.dns-oarc.net>: resolvers
and DNSViz report a missing wildcard NSEC
<https://dnsviz.net/d/nonexistent.sjc.dns-oarc.net/ZfNH6w/dnssec/
<https://dnsviz.net/d/nonexistent.sjc.dns-oarc.net/ZfNH6w/dnssec/>>
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 660
;; Flags: qr aa; QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; nonexistent.sjc.dns-oarc.net <http://nonexistent.sjc.dns-oarc.net>. IN A
;; AUTHORITY SECTION:
dns-oarc.net <http://dns-oarc.net>. 3600 IN SOA ns1.dns-oarc.net
<http://ns1.dns-oarc.net>. hostmaster.dns-oarc.net <http://hostmaster.dns-oarc.net>.
2024031400 300 60 604800 3600
newmail.sjc.dns-oarc.net <http://newmail.sjc.dns-oarc.net>. 3600 IN NSEC
pdu-7301.sjc.dns-oarc.net <http://pdu-7301.sjc.dns-oarc.net>. A AAAA RRSIG NSEC
shin-cubes.dns-oarc.net <http://shin-cubes.dns-oarc.net>. 3600 IN NSEC
an1.10g.sjc.dns-oarc.net <http://an1.10g.sjc.dns-oarc.net>. A AAAA RRSIG NSEC
dns-oarc.net <http://dns-oarc.net>. 3600 IN RRSIG SOA 13 2 14400 20240328021935
20240314004935 6048 dns-oarc.net <http://dns-oarc.net>. [omitted]
newmail.sjc.dns-oarc.net <http://newmail.sjc.dns-oarc.net>. 3600 IN RRSIG NSEC 13 4
3600 20240326215132 20240312202132 6048 dns-oarc.net <http://dns-oarc.net>. [omitted]
shin-cubes.dns-oarc.net <http://shin-cubes.dns-oarc.net>. 3600 IN RRSIG NSEC 13 3
3600 20240326215132 20240312202132 6048 dns-oarc.net <http://dns-oarc.net>. [omitted]
;; Received 544 B
;; Time 2024-03-14 18:57:33 UTC
;; From 64.191.0.128@53(UDP) in 0.3 ms
--
--