[Pdns-dev] please review our NSEC3 changes!

Peter van Dijk peter.van.dijk at netherlabs.nl
Sat Aug 4 12:15:02 CEST 2012

Hello Christof,

On Aug 4, 2012, at 10:09 , Christof Meerwald wrote:

> Not sure if this is just nsec3dig prdoucing confusing output or if
> it's pdns itself. cmeerw.priv.at (bind zone file) only has 1 SOA and 2
> NS records.
> nsec3dig for x.cmeerw.priv.at then results in:
> Reply to question for qname='x.cmeerw.priv.at.', qtype=TXT
> Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
> 1	cmeerw.priv.at.	IN	SOA	3600	ns.cmeerw.net. domain.cmeerw.net. 2010080603 3600 900 1814400 3600
> 1	8b40po8goooqdt13tad1l7j5oht0puo3.cmeerw.priv.at.	IN	NSEC3	3600	1 1 1 ab 8B40PO8GOOOQDT13TAD1L7J5OHT0PUO3 NS SOA RRSIG DNSKEY NSEC3PARAM
> 2	.	IN	OPT	32768	
> == nsec3 prove/deny report follows ==
> cmeerw.priv.at (8b40po8goooqdt13tad1l7j5oht0puo3) proven by base of 8b40po8goooqdt13tad1l7j5oht0puo3..8b40po8goooqdt13tad1l7j5oht0puo3
> cmeerw.priv.at (8b40po8goooqdt13tad1l7j5oht0puo3) proven by next of 8b40po8goooqdt13tad1l7j5oht0puo3..8b40po8goooqdt13tad1l7j5oht0puo3
> found closest encloser at cmeerw.priv.at
> next closer is x.cmeerw.priv.at
> next closer (x.cmeerw.priv.at) NOT denied
> wildcard at encloser (*.cmeerw.priv.at) is NOT denied or proven
> So it claims "NOT denied", but I am not sure if pdns is to blame or if
> it's just nsec3dig...

This NSEC3 points to itself (which is logical, as there is only one name in the zone). Thus, it denies -everything- but that name. In other words, this is a wraparound bug in nsec3dig, not in PowerDNS.

Thanks for this - this is the second time someone has brought up 'a zone with just one name in it' this week, and your example makes me realize this situation could use some test cases. It's a weird boundary condition.

I'm happy it's nsec3dig and not PowerDNS that is wrong here, though ;)

Kind regards,
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

More information about the Pdns-dev mailing list