[Pdns-users] pre-signed zone with NSEC3 and opt-out flag mixed, PDNS broken

Tue, 01 Apr 2014 07:09:06 -0700 

Hi!

I use PowerDNS from git HEAD from 20140320 (somewhere between 3.3.1 and 3.4)
For pre-signed zones, PDNS deletes the NSEC3 records on incoming zone transfer, and generates them when needed, and then they hopefully match the pre-signed zone.
AFAIS there is a problem in detecting how the NSEC3 records should be generated. For example, Bind generates NSEC3 records - some with the opt-out flag set, some the the opt-out flag cleared, regardless of the configured NSEC3PARAM record. 

Eg the incoming NSEC3PARAM record is:

  NSEC3PARAM 1 0 10 BEEF

PDNS stored in the domainmetadata:

  1 1 10 beef
Thus, it seems that PDNS ignores the NSEC3PARAM record and retrieves the parameters from the NSEC records itself. But these record may have different parameters (the RFC allows a mixed operation).
For opt-out NSEC3 records this works for PDNS, but not for non-opt-out NSEC3 records, e.g. here the response from the hidden master (Bind signer):
I5G81FPSAIPRKI8OUCVBB662QN9F4AB1.example. 900 IN NSEC3 1 0 10 BEEF IFM20V814R4G440BGE4I249LE1CR05PD I5G81FPSAIPRKI8OUCVBB662QN9F4AB1.example. 900 IN RRSIG NSEC3 7 3 900 20140412103334 20140313094600 21170 example. kj1B4llSd3z1pGd6/kV+b8TvsO3QUWiZ++1ny2dBbKiIIOJ8o8ytImWg pUbu3tRiWz/+8e1szgbzIgiAikD0ZRjrMuAyDR7LeG+79pwD50dQNAW4 XKLCAeoy9rcZgHJThcPQASdGBl/GbofjOdBv7qPhgXLp15mU7y8WGXRg HA4= 

Here the response from PowerDNS:
i5g81fpsaiprki8oucvbb662qn9f4ab1.example. 900 IN NSEC3 1 1 10 BEEF IFM20V814R4G440BGE4I249LE1CR05PD i5g81fpsaiprki8oucvbb662qn9f4ab1.example. 900 IN RRSIG NSEC3 7 3 900 20140412103334 20140313094600 21170 example. kj1B4llSd3z1pGd6/kV+b8TvsO3QUWiZ++1ny2dBbKiIIOJ8o8ytImWg pUbu3tRiWz/+8e1szgbzIgiAikD0ZRjrMuAyDR7LeG+79pwD50dQNAW4 XKLCAeoy9rcZgHJThcPQASdGBl/GbofjOdBv7qPhgXLp15mU7y8WGXRg HA4=
The opt-out bit is incorrectly set and the RRSIG's signature does not match the NSEC3 record.
I think, the current PDNS approach of dynamically generating NSEC3 records for pre-signed zones is broken and error-prone. 


Shall I file a bug report, or is there a workaround?

Thanks
Klaus



_______________________________________________
Pdns-users mailing list
[email protected]
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Reply via email to