Hi Michael,
Without having anything specific to look at I would guess that Unbound
is doing the right thing and that the signing part is not properly
creating NSEC/NSEC3 for the Empty Non Terminal 'x.dom.'.
Best regards,
-- Yorgos
On 08/11/2022 20:01, Michael Tokarev via Unbound-users wrote:
Hello!
I'm not sure for the right wording used in $subject, but the issue is here,
let me describe it.
auth-zone:
name: "dom"
primary: <primary-ip>
zonefile: "dom.cached"
for-downstream: no
With this config, and with "dom" containing the following
3 records (+ all the right DNSSEC ones):
a.x A 127.0.0.1
y A 127.0.0.1
b.y A 127.0.0.1
query for foo.y.dom (non-existing) return NXDOMAIN, but
query for foo.x.dom (also non-existing) return TEMPFAIL,
with the following in the log:
unbound: [73699:0] debug: NameError response has failed to prove:
covering wildcard does not exist
unbound: [73699:0] debug: NODATA response failed to prove NODATA
status with NSEC/NSEC3
unbound: [73699:0] info: validate(nxdomain): sec_status_bogus
(with many other debugging info omitted).
The difference between foo.x.dom and foo.y.dom is that the
intermediate label in first case (x.dom) does not have its
own records, while in the second case (y.dom) does have an
A record. So for any subdomain of a label which does not have
its own records but which exists, unbound fails to validate
NXDOMAIN.
This smells like a wrong behavior?
Thanks!
/mjt
