[Pdns-dev] please review our NSEC3 changes!
Christof Meerwald
cmeerw at cmeerw.org
Sat Aug 4 10:09:27 CEST 2012
On Fri, 3 Aug 2012 11:09:03 +0200, Peter van Dijk wrote:
> these NSEC3-changes have now been merged into our SVN trunk, at
> revision 2687 (with additional work in 2688+2689, but these should not
> make a functional difference). I have asked Bert to do snapshot static
> rpm/deb builds today.
Not sure if this is just nsec3dig prdoucing confusing output or if
it's pdns itself. cmeerw.priv.at (bind zone file) only has 1 SOA and 2
NS records.
nsec3dig for x.cmeerw.priv.at then results in:
Reply to question for qname='x.cmeerw.priv.at.', qtype=TXT
Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
1 cmeerw.priv.at. IN SOA 3600 ns.cmeerw.net. domain.cmeerw.net. 2010080603 3600 900 1814400 3600
1 cmeerw.priv.at. IN RRSIG 3600 SOA 8 3 3600 20120816000000 20120802000000 9138 cmeerw.priv.at. PiknjrI0vhkHv12MRdggwBQMR3wiZwpRgiWueZ42YC9DZ7ks6raLO6sRyTZfz9yo540pNy+699ztLoJ5vhamPqaXs/0sC7xIKCksEC7hJqTubQ2DfVHmO49T42qHsVuav6qXl+/9/7IAFwfB/d2iJhNlriMhkKhI27/opA93ajA=
1 8b40po8goooqdt13tad1l7j5oht0puo3.cmeerw.priv.at. IN NSEC3 3600 1 1 1 ab 8B40PO8GOOOQDT13TAD1L7J5OHT0PUO3 NS SOA RRSIG DNSKEY NSEC3PARAM
1 8b40po8goooqdt13tad1l7j5oht0puo3.cmeerw.priv.at. IN RRSIG 3600 NSEC3 8 4 3600 20120816000000 20120802000000 9138 cmeerw.priv.at. DtqaYNj0pjgwmTpD5kQqSzGIR5yjVvzT+e68sjO7/J0L2P3Gx6Ma9xGo5dHmTxKWJKzZC/B4aXpnIvSfrl4BjhuNHxujulJayLg23EepRZoZaRKOhRq6MsnQgVdNplxHXcTQb8i3a2AOUIO6XS5aiNwvVJrPAEaZcgcHcGKuWXU=
2 . IN OPT 32768
== nsec3 prove/deny report follows ==
cmeerw.priv.at (8b40po8goooqdt13tad1l7j5oht0puo3) proven by base of 8b40po8goooqdt13tad1l7j5oht0puo3..8b40po8goooqdt13tad1l7j5oht0puo3
cmeerw.priv.at (8b40po8goooqdt13tad1l7j5oht0puo3) proven by next of 8b40po8goooqdt13tad1l7j5oht0puo3..8b40po8goooqdt13tad1l7j5oht0puo3
found closest encloser at cmeerw.priv.at
next closer is x.cmeerw.priv.at
next closer (x.cmeerw.priv.at) NOT denied
wildcard at encloser (*.cmeerw.priv.at) is NOT denied or proven
So it claims "NOT denied", but I am not sure if pdns is to blame or if
it's just nsec3dig...
Christof
--
http://cmeerw.org sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org
More information about the Pdns-dev
mailing list