[Pdns-users] Additional NSEC3-Record in Response - DNSSEC Validation fails
Hi, I did some more DNSSEC-testing and found another bug: My setup looks like this: Bind accting as Master server, serving a presigned zone. PDNS 3.0 accting as Slave server, PRESIGNED=1 and NSEC3PARAM is set in Domainmetatable. When querying for an undefined records, PDNS adds an additional NSEC3-Record into the response and the validation of the response failes. Response from Bind: ;; QUESTION SECTION: ;notfound.nsec3test.at. IN A ;; AUTHORITY SECTION: nsec3test.at. 600 IN SOA ns2.at43.at. mib.nic.at. 3 1200 3600 604800 600 nsec3test.at. 600 IN RRSIG SOA 7 2 600 20110921115504 20110822115504 54530 nsec3test.at. CAljGUcw6e2pHiajLF+T0uCNfBrrtF2ZleDKrPe8gWiBOSmrhGPDGRVQ NUF5CX07AkBvG1pfoe5IKB4sIri0Un9C7MGznKNgc/1xBnmWBFCYzILS 8SkFzyyNalYYpvNnhO7q+MpE6kciv3soZbZJ+fl8Y2xibvvvYswO+vPy 0l4= O8IVN054N94M5JUQ5H7G0I882UAHH62U.nsec3test.at. 600 IN NSEC3 1 1 10 - NCH5FA1SAKRN1LLO8EKOK28S80L05EQE NS SOA RRSIG DNSKEY NSEC3PARAM O8IVN054N94M5JUQ5H7G0I882UAHH62U.nsec3test.at. 600 IN RRSIG NSEC3 7 3 600 20110921115504 20110822115504 54530 nsec3test.at. Z5lAmFDBRLYO2J/l2o1CwYfcuuvSixR26B5GIPTDaNvxRdHkVIJEHctQ Hc+4xie3POEed4eZBuYF2mqCCaF0GC5d0D5Y8sJui7Vu3oGxmwWO49vm e0WnNL4WiXWUzd0hOEobK/XJn6ObHLscbR5SmupdIdpA5DaJZ1w1VPQp faw= The same query against the PDNS: ;; QUESTION SECTION: ;notfound.nsec3test.at. IN A ;; AUTHORITY SECTION: nsec3test.at. 600 IN SOA ns2.at43.at. mib.nic.at. 3 86400 3600 604800 600 nsec3test.at. 600 IN RRSIG SOA 7 2 600 20110921115504 20110822115504 54530 nsec3test.at. CAljGUcw6e2pHiajLF+T0uCNfBrrtF2ZleDKrPe8gWiBOSmrhGPDGRVQ NUF5CX07AkBvG1pfoe5IKB4sIri0Un9C7MGznKNgc/1xBnmWBFCYzILS 8SkFzyyNalYYpvNnhO7q+MpE6kciv3soZbZJ+fl8Y2xibvvvYswO+vPy 0l4= o8ivn054n94m5juq5h7g0i882uahh62u.nsec3test.at. 0 IN NSEC3 1 1 10 - 66R3IIGV513QGD458A2S11T0MH3E6IET NS SOA RRSIG DNSKEY NSEC3PARAM o8ivn054n94m5juq5h7g0i882uahh62u.nsec3test.at. 600 IN RRSIG NSEC3 7 3 600 20110921115504 20110822115504 54530 nsec3test.at. Z5lAmFDBRLYO2J/l2o1CwYfcuuvSixR26B5GIPTDaNvxRdHkVIJEHctQ Hc+4xie3POEed4eZBuYF2mqCCaF0GC5d0D5Y8sJui7Vu3oGxmwWO49vm e0WnNL4WiXWUzd0hOEobK/XJn6ObHLscbR5SmupdIdpA5DaJZ1w1VPQp faw= 76nqadco30ibl06a9vmdvu7r31l6r3oi.nsec3test.at. 600 IN NSEC3 1 1 10 - NCH5FA1SAKRN1LLO8EKOK28S80L05EQE RRSIG The last line is the additional NSEC3-Record. Can you please have a look? Thanks in advance and Best, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Additional NSEC3-Record in Response - DNSSEC Validation fails
On Mon, Aug 22, 2011 at 03:41:57PM +0200, Michael Braunoeder wrote: I did some more DNSSEC-testing and found another bug: I was starting to worry that too little bugs were being found ;-) When querying for an undefined records, PDNS adds an additional NSEC3-Record into the response and the validation of the response failes. Also, the NSEC3 records don't match. The one PowerDNS includes is different from the one BIND emitted. Response from Bind: ;; AUTHORITY SECTION: nsec3test.at. 600 IN SOA ns2.at43.at. mib.nic.at. 3 1200 3600 604800 600 O8IVN054N94M5JUQ5H7G0I882UAHH62U.nsec3test.at. 600 IN NSEC3 1 1 10 - NCH5FA1SAKRN1LLO8EKOK28S80L05EQE NS SOA RRSIG DNSKEY NSEC3PARAM The same query against the PDNS: ;; AUTHORITY SECTION: nsec3test.at. 600 IN SOA ns2.at43.at. mib.nic.at. 3 86400 3600 604800 600 o8ivn054n94m5juq5h7g0i882uahh62u.nsec3test.at. 0 IN NSEC3 1 1 10 - 66R3IIGV513QGD458A2S11T0MH3E6IET NS SOA RRSIG DNSKEY NSEC3PARAM This one is different from the BIND one. 76nqadco30ibl06a9vmdvu7r31l6r3oi.nsec3test.at. 600 IN NSEC3 1 1 10 - NCH5FA1SAKRN1LLO8EKOK28S80L05EQE RRSIG Note that the TTL of the additional o8ivn one is wrong too. Can you please have a look? As a starting point, could you supply your nsec3test.at zone? That would help me reproduce your exact issue. Thanks. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users