[knot-dns-users] Re: Possible signing bug? Missing wildcard NSEC for RCODE 3 subdomains

Daniel Salzman via knot-dns-users Fri, 15 Mar 2024 00:29:31 -0700

Hi Matt,

Could you please send me the zone file?


Thanks!

On 3/14/24 20:20, Matthew Pounsett wrote:

I got a report of an NSEC error from someone who tried to connect to a mistyped hostname. I've done a bit of poking, and it looks like we're seeing a missing wildcard NSEC for domain names that aretwo subdomains down from the apex, but not for subdomains of the apex. Though, I admit I can't see the problem myself. Querying by hand I see what looks like an identical response, but resolvers andDNSViz report problems with the deeper name.

For example, nonexistent.dns-oarc.net <http://nonexistent.dns-oarc.net> and nonexistent.sjc.dns-oarc.net <http://nonexistent.sjc.dns-oarc.net> (sjc.dns-oarc.net <http://sjc.dns-oarc.net> is a realsubdomain with hosts in it, not an ENT)... kdig output and DNSViz results below.

We're running knot/unknown,now 3.3.5-cznic.1~bullseye from deb.knot-dns.cz 
<http://deb.knot-dns.cz>, and this is the relevant policy statement for the 
zone:

policy:
   - id: ecdsa
     algorithm: ecdsap256sha256
     ksk-lifetime: 365d
     ksk-submission: parent_zone_sbm
     zsk-lifetime: 30d
     rrsig-lifetime: 14d
     rrsig-refresh: 7d

We are mid-KSK-roll, waiting on the DS submission check.

Have I misconfigured something here, or is there a signing bug, or is this 
something else?

Thanks!
   Matt

---

nonexistent.sjc.dns-oarc.net <http://nonexistent.sjc.dns-oarc.net>: DNSviz 
reports this is fine.
<https://dnsviz.net/d/nonexistent.dns-oarc.net/ZfNH1w/dnssec/ 
<https://dnsviz.net/d/nonexistent.dns-oarc.net/ZfNH1w/dnssec/>>

;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 9380
;; Flags: qr aa; QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; nonexistent.dns-oarc.net <http://nonexistent.dns-oarc.net>. IN A

;; AUTHORITY SECTION:
dns-oarc.net <http://dns-oarc.net>.       3600 IN SOA ns1.dns-oarc.net 
<http://ns1.dns-oarc.net>. hostmaster.dns-oarc.net <http://hostmaster.dns-oarc.net>. 
2024031400 300 60 604800 3600
nfsen.dns-oarc.net <http://nfsen.dns-oarc.net>. 3600 IN NSEC ns.dns-oarc.net 
<http://ns.dns-oarc.net>. A AAAA RRSIG NSEC
dns-oarc.net <http://dns-oarc.net>.       3600 IN NSEC fs1.10g.dns-oarc.net 
<http://fs1.10g.dns-oarc.net>. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY CDS CDNSKEY CAA
dns-oarc.net <http://dns-oarc.net>.       3600 IN RRSIG SOA 13 2 14400 20240328021935 
20240314004935 6048 dns-oarc.net <http://dns-oarc.net>. [omitted]
nfsen.dns-oarc.net <http://nfsen.dns-oarc.net>. 3600 IN RRSIG NSEC 13 3 3600 
20240326215132 20240312202132 6048 dns-oarc.net <http://dns-oarc.net>. [omitted]
dns-oarc.net <http://dns-oarc.net>.       3600 IN RRSIG NSEC 13 2 3600 20240322045130 
20240308032130 6048 dns-oarc.net <http://dns-oarc.net>. [omitted]

;; Received 518 B
;; Time 2024-03-14 18:57:33 UTC
;; From 64.191.0.128@53(UDP) in 0.3 ms


nonexistent.sjc.dns-oarc.net <http://nonexistent.sjc.dns-oarc.net>: resolvers 
and DNSViz report a missing wildcard NSEC
<https://dnsviz.net/d/nonexistent.sjc.dns-oarc.net/ZfNH6w/dnssec/ 
<https://dnsviz.net/d/nonexistent.sjc.dns-oarc.net/ZfNH6w/dnssec/>>


;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 660
;; Flags: qr aa; QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; nonexistent.sjc.dns-oarc.net <http://nonexistent.sjc.dns-oarc.net>. IN A

;; AUTHORITY SECTION:
dns-oarc.net <http://dns-oarc.net>.       3600 IN SOA ns1.dns-oarc.net 
<http://ns1.dns-oarc.net>. hostmaster.dns-oarc.net <http://hostmaster.dns-oarc.net>. 
2024031400 300 60 604800 3600
newmail.sjc.dns-oarc.net <http://newmail.sjc.dns-oarc.net>. 3600 IN NSEC 
pdu-7301.sjc.dns-oarc.net <http://pdu-7301.sjc.dns-oarc.net>. A AAAA RRSIG NSEC
shin-cubes.dns-oarc.net <http://shin-cubes.dns-oarc.net>. 3600 IN NSEC 
an1.10g.sjc.dns-oarc.net <http://an1.10g.sjc.dns-oarc.net>. A AAAA RRSIG NSEC
dns-oarc.net <http://dns-oarc.net>.       3600 IN RRSIG SOA 13 2 14400 20240328021935 
20240314004935 6048 dns-oarc.net <http://dns-oarc.net>. [omitted]
newmail.sjc.dns-oarc.net <http://newmail.sjc.dns-oarc.net>. 3600 IN RRSIG NSEC 13 4 
3600 20240326215132 20240312202132 6048 dns-oarc.net <http://dns-oarc.net>. [omitted]
shin-cubes.dns-oarc.net <http://shin-cubes.dns-oarc.net>. 3600 IN RRSIG NSEC 13 3 
3600 20240326215132 20240312202132 6048 dns-oarc.net <http://dns-oarc.net>. [omitted]

;; Received 544 B
;; Time 2024-03-14 18:57:33 UTC
;; From 64.191.0.128@53(UDP) in 0.3 ms

--

--

[knot-dns-users] Re: Possible signing bug? Missing wildcard NSEC for RCODE 3 subdomains

Reply via email to