[Pdns-users] nsec3 and empty non-terminals

Florian Obser florian at narrans.de
Mon Oct 3 15:01:07 UTC 2011 

Hi,
we are using powerdns 3 (pdns-static_3.0-1_amd64.deb on debian squeeze,
mysql backend) as a hidden master / signer and serve the zones with nsd
slaves (3.2.5-1.squeeze1).

Signing this zone:

nsec3.example.com.      86400   IN      SOA     a.ns.nsec3.example.com.
hostmaster.adns2.de. 2011100204 39940 7200 604800 86400
a.ns.nsec3.example.com. 86400   IN      A       217.31.84.231
foo.nsec3.example.com.  86400   IN      A       127.0.0.1
nsec3.example.com.      86400   IN      NS      a.ns.nsec3.example.com.


results in:

$ ldns-verify-zone nsec3.example.com.signed.pdns
Checking: nsec3.example.com.
Checking: foo.nsec3.example.com.
Checking: ns.nsec3.example.com.
Error: there is no NSEC(3) for ns.nsec3.example.com.
Checking: a.ns.nsec3.example.com.
There were errors in the zone

Serving this zone with nsd and asking for ns.nsec3.example.com:

-------------------------------------------------------------
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28548
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns.nsec3.example.com.          IN      A

;; AUTHORITY SECTION:
nsec3.example.com.      86400   IN      SOA     a.ns.nsec3.example.com.
hostmaster.adns2.de. 2011100204 39940 7200 604800 86400
nsec3.example.com.      86400   IN      RRSIG   SOA 8 3 86400
20111013000000 20110929000000 5949 nsec3.example.com.
PQjEEpfDDO2nEcObap+lpPAxhKRHnH02MYi99fUxRwVB4V3c2ZFAuEtd
vlfMxAx7lnogfDmdLew4wT+UW4JddhtSI0poLf7Y9W7mMdeaw4zVdZql
7HIAp2QB+ku9LW+bKN+O2xTMRZ2PkfcPAOvK+2OwRSrBf2Dj9MaREyh2 I3g=
-------------------------------------------------------------

Note that there are no nsec3 records in the answer.

Asking powerdns directly:

-------------------------------------------------------------
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38436
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 2800
;; QUESTION SECTION:
;ns.nsec3.example.com.          IN      A

;; AUTHORITY SECTION:
nsec3.example.com.      86400   IN      SOA     a.ns.nsec3.example.com.
hostmaster.adns2.de. 2011100204 39940 7200 604800 86400
nsec3.example.com.      86400   IN      RRSIG   SOA 8 3 86400
20111013000000 20110929000000 5949 nsec3.example.com.
PQjEEpfDDO2nEcObap+lpPAxhKRHnH02MYi99fUxRwVB4V3c2ZFAuEtd
vlfMxAx7lnogfDmdLew4wT+UW4JddhtSI0poLf7Y9W7mMdeaw4zVdZql
7HIAp2QB+ku9LW+bKN+O2xTMRZ2PkfcPAOvK+2OwRSrBf2Dj9MaREyh2 I3g=
8sgphhqpl2lueminpbvobar8gcue7rbk.nsec3.example.com. 86400 IN NSEC3 1 1
10 08A80B76 BLPBV7OT65VBPSBI1QU86M3FH160VLIV NS SOA RRSIG DNSKEY NSEC3PARAM
8sgphhqpl2lueminpbvobar8gcue7rbk.nsec3.example.com. 86400 IN RRSIG NSEC3
8 4 86400 20111013000000 20110929000000 5949 nsec3.example.com.
Ou7F28+3YuTu+BVLpPGv2oNJbTqDaxgu8KVbWEFqrp1o+xAKlOWhM0z9
aOJYMDzBtARUWYmLRrWN2iX2zsKEMsdI7EM9E6CKVJOUY7hw2EW40DOK
8eeUieqIN/9lpnwQjVCRc90qgLfvgH95iXBQ5yYVqrxLonYMjBMspFN9 86Y=
blpbv7ot65vbpsbi1qu86m3fh160vliv.nsec3.example.com. 86400 IN NSEC3 1 1
10 08A80B76 33IRO6M8U5MK1PIIHEDO3GJSD4QO53BR A RRSIG
blpbv7ot65vbpsbi1qu86m3fh160vliv.nsec3.example.com. 86400 IN RRSIG NSEC3
8 4 86400 20111013000000 20110929000000 5949 nsec3.example.com.
cWtYNq8TKe0GdgH1ZQRs9Kl+Y0LFZY16WS8/dCzVWi3mONP7bFbdfnqE
UksrBxf84VW6JO81Jz85WJheFmEFLkTo8fHw3whyuQ2p7/RIg3pvNxMM
0+i1nAxw7ZZKLtug1BERXUNe46R9/OZuz9aagohVDnhqdYg6V5b055yN GXU=
-------------------------------------------------------------

It looks like powerdns proves the non-existence of ns.nsec3.example.com
from foo.nsec3.example.com and a,ns.nsec3.example.com (the same as in
the NSEC case, which works fine in nsd fwiw) while nsd needs an explicit
NSEC3 record for this. Signing the zone with ldns you get this
additional NSEC3 record:

bc3qchshiisvurl7bleco2osgj3kdp4p.nsec3.example.com.    86400   IN
NSEC3   1 1 10 08a80b76  blpbv7ot65vbpsbi1qu86m3fh160vliv ; flags: optout

which I strongly suspect to be ns.nsec3.example.com.

RFC 5155 has this to say (7.1.  Zone Signing, page 16)
   o  Each empty non-terminal MUST have a corresponding NSEC3 RR, unless
      the empty non-terminal is only derived from an insecure delegation
      covered by an Opt-Out NSEC3 RR.

As a workaround I insert a TXT record for every empty non-terminal
before handing the zone over to powerdns for signing - this seems to be
working reasonably well.

Thanks,
Florian

-- 
I remember yesterday, but the memory is in my head now.
Was yesterday real? Or is it only the memory that is real?

More information about the Pdns-users mailing list