[Pdns-users] Additional NSEC3-Record in Response - DNSSEC Validation fails

Mon, 22 Aug 2011 06:42:18 -0700 

Hi,

I did some more DNSSEC-testing and found another bug:

My setup looks like this:

Bind accting as Master server, serving a presigned zone.
PDNS 3.0 accting as Slave server, PRESIGNED=1 and NSEC3PARAM is set in Domainmetatable.
When querying for an undefined records, PDNS adds an additional NSEC3-Record into the response and the validation of the response failes. 

Response from Bind:

;; QUESTION SECTION:
;notfound.nsec3test.at.         IN      A

;; AUTHORITY SECTION:
nsec3test.at. 600 IN SOA ns2.at43.at. mib.nic.at. 3 1200 3600 604800 600 nsec3test.at. 600 IN RRSIG SOA 7 2 600 20110921115504 20110822115504 54530 nsec3test.at. CAljGUcw6e2pHiajLF+T0uCNfBrrtF2ZleDKrPe8gWiBOSmrhGPDGRVQ NUF5CX07AkBvG1pfoe5IKB4sIri0Un9C7MGznKNgc/1xBnmWBFCYzILS 8SkFzyyNalYYpvNnhO7q+MpE6kciv3soZbZJ+fl8Y2xibvvvYswO+vPy 0l4= O8IVN054N94M5JUQ5H7G0I882UAHH62U.nsec3test.at. 600 IN NSEC3 1 1 10 - NCH5FA1SAKRN1LLO8EKOK28S80L05EQE NS SOA RRSIG DNSKEY NSEC3PARAM O8IVN054N94M5JUQ5H7G0I882UAHH62U.nsec3test.at. 600 IN RRSIG NSEC3 7 3 600 20110921115504 20110822115504 54530 nsec3test.at. Z5lAmFDBRLYO2J/l2o1CwYfcuuvSixR26B5GIPTDaNvxRdHkVIJEHctQ Hc+4xie3POEed4eZBuYF2mqCCaF0GC5d0D5Y8sJui7Vu3oGxmwWO49vm e0WnNL4WiXWUzd0hOEobK/XJn6ObHLscbR5SmupdIdpA5DaJZ1w1VPQp faw= 


The same query against the PDNS:

;; QUESTION SECTION:
;notfound.nsec3test.at.         IN      A

;; AUTHORITY SECTION:
nsec3test.at. 600 IN SOA ns2.at43.at. mib.nic.at. 3 86400 3600 604800 600 nsec3test.at. 600 IN RRSIG SOA 7 2 600 20110921115504 20110822115504 54530 nsec3test.at. CAljGUcw6e2pHiajLF+T0uCNfBrrtF2ZleDKrPe8gWiBOSmrhGPDGRVQ NUF5CX07AkBvG1pfoe5IKB4sIri0Un9C7MGznKNgc/1xBnmWBFCYzILS 8SkFzyyNalYYpvNnhO7q+MpE6kciv3soZbZJ+fl8Y2xibvvvYswO+vPy 0l4= o8ivn054n94m5juq5h7g0i882uahh62u.nsec3test.at. 0 IN NSEC3 1 1 10 - 66R3IIGV513QGD458A2S11T0MH3E6IET NS SOA RRSIG DNSKEY NSEC3PARAM o8ivn054n94m5juq5h7g0i882uahh62u.nsec3test.at. 600 IN RRSIG NSEC3 7 3 600 20110921115504 20110822115504 54530 nsec3test.at. Z5lAmFDBRLYO2J/l2o1CwYfcuuvSixR26B5GIPTDaNvxRdHkVIJEHctQ Hc+4xie3POEed4eZBuYF2mqCCaF0GC5d0D5Y8sJui7Vu3oGxmwWO49vm e0WnNL4WiXWUzd0hOEobK/XJn6ObHLscbR5SmupdIdpA5DaJZ1w1VPQp faw= 76nqadco30ibl06a9vmdvu7r31l6r3oi.nsec3test.at. 600 IN NSEC3 1 1 10 - NCH5FA1SAKRN1LLO8EKOK28S80L05EQE RRSIG 


The last line is the additional NSEC3-Record.

Can you please have a look?

Thanks in advance and Best,
Michael


_______________________________________________
Pdns-users mailing list
[email protected]
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Reply via email to