Hi, I have a situation where I'm working on a Remote PIPE backend [0] with DNSSEC and I'm running into a situation with NSEC. (Not working on 3 yet).
The situation is that I have my personal domain 'widodh.nl' from where I delegate 'secure.widodh.nl' to: - ns011.auroradns.eu - ns012.auroradns.nl - ns013.auroradns.info These servers run PowerDNS 4.0 with the Remote Backend. This works just fine, I can query (AAAA) these hostnames and they work: - secure.widodh.nl - a.secure.widodh.nl - b.secure.widodh.nl - c.secure.widodh.nl - e.secure.widodh.nl - f.secure.widodh.nl 'd' doesn't exist on purpose. Now, when I ask ns011.auroradns.eu directly it responds with a proper NSEC response: wido@wido-desktop:~$ dig @ns011.auroradns.eu NSEC d.secure.widodh.nl ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @ns011.auroradns.eu NSEC d.secure.widodh.nl ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51915 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1680 ;; QUESTION SECTION: ;d.secure.widodh.nl. IN NSEC ;; ANSWER SECTION: c.secure.widodh.nl. 3600 IN NSEC e.secure.widodh.nl. AAAA RRSIG NSEC ;; Query time: 45 msec ;; SERVER: 2a00:f10:121:b00:434:a0ff:fe00:1bc7#53(2a00:f10:121:b00:434:a0ff:fe00:1bc7) ;; WHEN: Tue Jul 26 10:15:08 CEST 2016 ;; MSG SIZE rcvd: 89 wido@wido-desktop:~$ As you can see, 'c' and 'e' are before and after. For that to work I implemented 'getBeforeAndAfterNamesAbsolute' in by backend. Now, when I try to perform a NSEC query for 'd.secure.widodh.nl' without asking ns011 directly it fails with a SERVFAIL. When I trace with dig I see that it dies at v1.pcextreme.nl which is a PowerDNS 3.4.9 setup with a MySQL backend. The dig output is long, so a snippet: wido@crew:~$ dig -6 +trace NSEC c.secure.widodh.nl ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> -6 +trace NSEC c.secure.widodh.nl ;; global options: +cmd ... ... widodh.nl. 3600 IN NS v1.pcextreme.nl. widodh.nl. 3600 IN NS v2.pcextreme.nl. widodh.nl. 3600 IN NS v3.pcextreme.eu. widodh.nl. 3600 IN DS 44692 8 2 C9AABC5574CF0772A5AC75120DA56FE387BCF52DC8122B04EA7FC41B 8EFDF47C widodh.nl. 3600 IN RRSIG DS 8 2 3600 20160804065721 20160721071001 14028 nl. DaT8QiwTBDPnUTNdM25EMQl4zjRjwxL52pinbv/8nsWdx39egO9eOktK IpS+ntcTv22JYdI4yLrT3HjbeoPMBnAGPKOCQ9hSfnogNFeZATnV9Pti zPrvqsdsqeGgRWhFWHVY52TuPxjkC5D1B0ZkYPtKpj3/pduY8PYtA5M4 6Ko= ;; Received 418 bytes from 2a00:1188:5::212#53(ns4.dns.nl) in 14 ms secure.widodh.nl. 3600 IN RRSIG NSEC 8 3 3600 20160804000000 20160714000000 7725 widodh.nl. XWDj2A4iaEC3ZDxKaiRT/+qIrP7QZ+uuUHz/MYHh76cE2m0Kd4RGhK75 qErhKPOGzg0i+LJ1ePceRFHr0rFO1xPRyQlbAaqxOeeTARGXLLN4SPY5 Ze+qwA0RppIei0Fi2GXJ5+Lha/v57RcGpnLOGgz/NqU3HolTr0Fq+nnf 9j4= secure.widodh.nl. 3600 IN NSEC soekris.widodh.nl. NS DS RRSIG NSEC ;; Received 255 bytes from 2001:14a0:300:4::53#53(v2.pcextreme.nl) in 13 ms wido@crew:~$ v2.pcextreme.nl in this case does NOT respond with NS records delegating 'secure.widodh.nl' to the *auroradns* servers. Turning on query logging showed me: select min(ordername) from records where ordername > 'secure c' and domain_id=8131 and disabled=0 and ordername is not null select ordername, name from records where ordername <= 'secure c' and domain_id=8131 and disabled=0 and ordername is not null order by 1 desc limit 1 SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and name='secure.widodh.nl' and domain_id=8131 This setup seems to think that because 'widodh.nl' exists on that setup it has to look locally for the NSEC before and after and not delegate it towards the other nameservers. The last query yields three NS records and one DS record, just as it is supposed to do. I am starting to think this is a issue with PowerDNS 3.4.9 and the MySQL backend. However, I'm not 100% sure as the NSEC part of DNSSEC is still not 100% clear to me. Is there something I'm doing wrong here? Thank you in advance, Wido [0]: https://doc.powerdns.com/md/authoritative/backend-remote/ [1]: https://doc.powerdns.com/md/authoritative/backend-remote/#getbeforeandafternamesabsolute _______________________________________________ Pdns-dev mailing list Pdns-dev@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-dev
