On Mon, Aug 22, 2011 at 03:41:57PM +0200, Michael Braunoeder wrote: > I did some more DNSSEC-testing and found another bug:
I was starting to worry that too little bugs were being found ;-) > When querying for an undefined records, PDNS adds an additional > NSEC3-Record into the response and the validation of the response > failes. Also, the NSEC3 records don't match. The one PowerDNS includes is different from the one BIND emitted. > Response from Bind: > ;; AUTHORITY SECTION: > nsec3test.at. 600 IN SOA ns2.at43.at. mib.nic.at. 3 > 1200 3600 604800 600 > O8IVN054N94M5JUQ5H7G0I882UAHH62U.nsec3test.at. 600 IN NSEC3 1 1 10 - > NCH5FA1SAKRN1LLO8EKOK28S80L05EQE NS SOA RRSIG DNSKEY NSEC3PARAM > The same query against the PDNS: > > ;; AUTHORITY SECTION: > nsec3test.at. 600 IN SOA ns2.at43.at. mib.nic.at. 3 > 86400 3600 604800 600 > o8ivn054n94m5juq5h7g0i882uahh62u.nsec3test.at. 0 IN NSEC3 1 1 10 - > 66R3IIGV513QGD458A2S11T0MH3E6IET NS SOA RRSIG DNSKEY NSEC3PARAM This one is different from the BIND one. > 76nqadco30ibl06a9vmdvu7r31l6r3oi.nsec3test.at. 600 IN NSEC3 1 1 10 - > NCH5FA1SAKRN1LLO8EKOK28S80L05EQE RRSIG Note that the TTL of the additional o8ivn one is wrong too. > Can you please have a look? As a starting point, could you supply your nsec3test.at zone? That would help me reproduce your exact issue. Thanks. _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
