Hello Wido,
On 26 Jul 2016, at 10:22, Wido den Hollander wrote:
wido@crew:~$ dig -6 +trace NSEC c.secure.widodh.nl
; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> -6 +trace NSEC
c.secure.widodh.nl
;; global options: +cmd
...
...
widodh.nl. 3600 IN NS v1.pcextreme.nl.
widodh.nl. 3600 IN NS v2.pcextreme.nl.
widodh.nl. 3600 IN NS v3.pcextreme.eu.
widodh.nl. 3600 IN DS 44692 8 2
C9AABC5574CF0772A5AC75120DA56FE387BCF52DC8122B04EA7FC41B 8EFDF47C
widodh.nl. 3600 IN RRSIG DS 8 2 3600 20160804065721 20160721071001
14028 nl. DaT8QiwTBDPnUTNdM25EMQl4zjRjwxL52pinbv/8nsWdx39egO9eOktK
IpS+ntcTv22JYdI4yLrT3HjbeoPMBnAGPKOCQ9hSfnogNFeZATnV9Pti
zPrvqsdsqeGgRWhFWHVY52TuPxjkC5D1B0ZkYPtKpj3/pduY8PYtA5M4 6Ko=
;; Received 418 bytes from 2a00:1188:5::212#53(ns4.dns.nl) in 14 ms
secure.widodh.nl. 3600 IN RRSIG NSEC 8 3 3600 20160804000000
20160714000000 7725 widodh.nl.
XWDj2A4iaEC3ZDxKaiRT/+qIrP7QZ+uuUHz/MYHh76cE2m0Kd4RGhK75
qErhKPOGzg0i+LJ1ePceRFHr0rFO1xPRyQlbAaqxOeeTARGXLLN4SPY5
Ze+qwA0RppIei0Fi2GXJ5+Lha/v57RcGpnLOGgz/NqU3HolTr0Fq+nnf 9j4=
secure.widodh.nl. 3600 IN NSEC soekris.widodh.nl. NS DS RRSIG
NSEC
;; Received 255 bytes from 2001:14a0:300:4::53#53(v2.pcextreme.nl) in
13 ms
wido@crew:~$
v2.pcextreme.nl in this case does NOT respond with NS records
delegating 'secure.widodh.nl' to the *auroradns* servers.
That’s a bug!
Turning on query logging showed me:
select min(ordername) from records where ordername > 'secure c' and
domain_id=8131 and disabled=0 and ordername is not null
select ordername, name from records where ordername <= 'secure c' and
domain_id=8131 and disabled=0 and ordername is not null order by 1
desc limit 1
SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records
WHERE disabled=0 and name='secure.widodh.nl' and domain_id=8131
This setup seems to think that because 'widodh.nl' exists on that
setup it has to look locally for the NSEC before and after and not
delegate it towards the other nameservers.
That’s not exactly what’s going wrong, but yes, it is broken.
The last query yields three NS records and one DS record, just as it
is supposed to do.
And indeed that is what it should be giving you, like with any other
type you query (except DS which is supposed to be special).
I am starting to think this is a issue with PowerDNS 3.4.9 and the
MySQL backend. However, I'm not 100% sure as the NSEC part of DNSSEC
is still not 100% clear to me.
Yes, this is an issue in PowerDNS. I have also confirmed it on
4.0.x/master. It is not specific to MySQL, it is broken the same way
with every backend (including non-SQL ones). Can you post your
wonderfully extensive report at
https://github.com/PowerDNS/pdns/issues/new ? Thanks!
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
_______________________________________________
Pdns-dev mailing list
Pdns-dev@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-dev
