[Pdns-dev] Auth server 3.0.1 not handling DS queries properly

Alexander Gall gall at switch.ch
Fri Feb 24 14:34:33 CET 2012

My validating BIND caches are currently returning SERVFAIL while
resolving queries for www.cpan.org.  After traversing two CNAMEs, this
name eventually points to cpan-global.l.develooper.org.

The domain develooper.org is signed and serverd by

develooper.org.         432000  IN      NS      ns1.us.bitnames.com.
develooper.org.         432000  IN      NS      ns3.us.bitnames.com.
develooper.org.         432000  IN      NS      ns2.us.bitnames.com.
develooper.org.         432000  IN      NS      ns2.eu.bitnames.com.
develooper.org.         432000  IN      NS      ns1.eu.bitnames.com.

All of these servers are running PowerDNS 3.0.1. according to

l.develooper.org is a zone-cut.  During validation, my caches are
trying to proof whether this delegation is secure by checking for the
DS record of l.develooper.org.  This is what the authoritative servers
for develooper.org return:

; <<>> DiG 9.8.1-P1 <<>> @ns1.us.bitnames.com l.develooper.org. ds +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47403
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; WARNING: recursion requested but not available

; EDNS: version: 0, flags: do; udp: 2800
;l.develooper.org.              IN      DS

l.develooper.org.       172800  IN      NS      ns1.p20.dynect.net.
l.develooper.org.       172800  IN      NS      ns2.p20.dynect.net.
l.develooper.org.       172800  IN      NS      ns3.p20.dynect.net.
l.develooper.org.       172800  IN      NS      ns4.p20.dynect.net.
l.develooper.org.       172800  IN      NSEC    www.develooper.org. NS RRSIG NSEC
l.develooper.org.       172800  IN      RRSIG   NSEC 8 3 172800 20120308000000 20120223000000 50380 develooper.org. Njz+JFzFm5X3aWxqYIllrQE3SdzxzS/9pwHo5npsjWT5J7pIDoRSc4Pw efxXNDR++yrnqlT3AuWWq3gkUM9YYYf72kxOGgaOmUUbGCWQrulcakS2 TZIV+uKz5RfnGgsEisWBlnATCLylZsRQJ2mZI0SGV3N2IbryVeuokZmV 6w8=

;; Query time: 177 msec
;; WHEN: Fri Feb 24 14:23:58 2012
;; MSG SIZE  rcvd: 345

This is a referral.  However, what is expected here is a NODATA
response (AA flag, SOA and NSEC records in authority section).

This renders insecure delegations bogus.  Unless I'm overlooking
something here, this needs to be fixed ASAP.


More information about the Pdns-dev mailing list