[Pdns-dev] please review our NSEC3 changes!

Sat Aug 4 10:09:27 CEST 2012

On Fri, 3 Aug 2012 11:09:03 +0200, Peter van Dijk wrote:
> these NSEC3-changes have now been merged into our SVN trunk, at
> revision 2687 (with additional work in 2688+2689, but these should not
> make a functional difference). I have asked Bert to do snapshot static
> rpm/deb builds today.

Not sure if this is just nsec3dig prdoucing confusing output or if
it's pdns itself. cmeerw.priv.at (bind zone file) only has 1 SOA and 2
NS records.

nsec3dig for x.cmeerw.priv.at then results in:

Reply to question for qname='x.cmeerw.priv.at.', qtype=TXT
Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
1	cmeerw.priv.at.	IN	SOA	3600	ns.cmeerw.net. domain.cmeerw.net. 2010080603 3600 900 1814400 3600
1	cmeerw.priv.at.	IN	RRSIG	3600	SOA 8 3 3600 20120816000000 20120802000000 9138 cmeerw.priv.at. PiknjrI0vhkHv12MRdggwBQMR3wiZwpRgiWueZ42YC9DZ7ks6raLO6sRyTZfz9yo540pNy+699ztLoJ5vhamPqaXs/0sC7xIKCksEC7hJqTubQ2DfVHmO49T42qHsVuav6qXl+/9/7IAFwfB/d2iJhNlriMhkKhI27/opA93ajA=
1	8b40po8goooqdt13tad1l7j5oht0puo3.cmeerw.priv.at.	IN	NSEC3	3600	1 1 1 ab 8B40PO8GOOOQDT13TAD1L7J5OHT0PUO3 NS SOA RRSIG DNSKEY NSEC3PARAM
1	8b40po8goooqdt13tad1l7j5oht0puo3.cmeerw.priv.at.	IN	RRSIG	3600	NSEC3 8 4 3600 20120816000000 20120802000000 9138 cmeerw.priv.at. DtqaYNj0pjgwmTpD5kQqSzGIR5yjVvzT+e68sjO7/J0L2P3Gx6Ma9xGo5dHmTxKWJKzZC/B4aXpnIvSfrl4BjhuNHxujulJayLg23EepRZoZaRKOhRq6MsnQgVdNplxHXcTQb8i3a2AOUIO6XS5aiNwvVJrPAEaZcgcHcGKuWXU=
2	.	IN	OPT	32768	
== nsec3 prove/deny report follows ==
cmeerw.priv.at (8b40po8goooqdt13tad1l7j5oht0puo3) proven by base of 8b40po8goooqdt13tad1l7j5oht0puo3..8b40po8goooqdt13tad1l7j5oht0puo3
cmeerw.priv.at (8b40po8goooqdt13tad1l7j5oht0puo3) proven by next of 8b40po8goooqdt13tad1l7j5oht0puo3..8b40po8goooqdt13tad1l7j5oht0puo3
found closest encloser at cmeerw.priv.at
next closer is x.cmeerw.priv.at
next closer (x.cmeerw.priv.at) NOT denied
wildcard at encloser (*.cmeerw.priv.at) is NOT denied or proven

So it claims "NOT denied", but I am not sure if pdns is to blame or if
it's just nsec3dig...

Christof

-- 

http://cmeerw.org                              sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org                   xmpp:cmeerw at cmeerw.org