On Wed, Sep 17, 2014 at 12:27 PM, Casey Deccio <[email protected]> wrote:
> I don't immediately see anything wrong with the complete names above. But > I can see that BIND and unbound both are failing validation for _ > tcp.kinderporno.cz. I am wondering if this is perhaps due to incorrect > handling of NSEC records associated with wildcards. > > > $ dig +dnssec +noall +authority @ns.forpsi.it _tcp.kinderporno.cz | grep > NSEC | head -1 > default._domainkey.kinderporno.cz. 3600 IN NSEC _jabber._ > tcp.kinderporno.cz. TXT RRSIG NSEC > > The NSEC record returned doesn't prove that the name doesn't exist > (NXDOMAIN) because the name (_tcp.kinderporno.cz) is in fact an ancestor > of the next field of the NSEC record (_jabber._tcp.kinderporno.cz), as an > empty non-terminal. But that proof is not required for wildcard, only for > NXDOMAIN status. > > For archival purposes, the above guess was incorrect, due to an overlooking of proper server-side wildcard processing behavior from RFC 1034, as indicated by Ondřej, who posted reference to the same issue on the DANE WG mailing list. In this case, the wildcard should never have been expanded because an ancestor of the name exists. Casey
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
