[Pdns-dev] NSEC and zone delegation with PowerDNS 3.4.9 and MySQL backend

Wido den Hollander wido at widodh.nl
Tue Jul 26 08:22:50 UTC 2016


Hi,

I have a situation where I'm working on a Remote PIPE backend [0] with DNSSEC and I'm running into a situation with NSEC. (Not working on 3 yet).

The situation is that I have my personal domain 'widodh.nl' from where I delegate 'secure.widodh.nl' to:

- ns011.auroradns.eu
- ns012.auroradns.nl
- ns013.auroradns.info

These servers run PowerDNS 4.0 with the Remote Backend.

This works just fine, I can query (AAAA) these hostnames and they work:

- secure.widodh.nl
- a.secure.widodh.nl
- b.secure.widodh.nl
- c.secure.widodh.nl
- e.secure.widodh.nl
- f.secure.widodh.nl

'd' doesn't exist on purpose.

Now, when I ask ns011.auroradns.eu directly it responds with a proper NSEC response:

wido at wido-desktop:~$ dig @ns011.auroradns.eu NSEC d.secure.widodh.nl

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @ns011.auroradns.eu NSEC d.secure.widodh.nl
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51915
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;d.secure.widodh.nl.		IN	NSEC

;; ANSWER SECTION:
c.secure.widodh.nl.	3600	IN	NSEC	e.secure.widodh.nl. AAAA RRSIG NSEC

;; Query time: 45 msec
;; SERVER: 2a00:f10:121:b00:434:a0ff:fe00:1bc7#53(2a00:f10:121:b00:434:a0ff:fe00:1bc7)
;; WHEN: Tue Jul 26 10:15:08 CEST 2016
;; MSG SIZE  rcvd: 89

wido at wido-desktop:~$

As you can see, 'c' and 'e' are before and after. For that to work I implemented 'getBeforeAndAfterNamesAbsolute' in by backend.

Now, when I try to perform a NSEC query for 'd.secure.widodh.nl' without asking ns011 directly it fails with a SERVFAIL. When I trace with dig I see that it dies at v1.pcextreme.nl which is a PowerDNS 3.4.9 setup with a MySQL backend.

The dig output is long, so a snippet:

wido at crew:~$ dig -6 +trace NSEC c.secure.widodh.nl

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> -6 +trace NSEC c.secure.widodh.nl
;; global options: +cmd

...
...

widodh.nl.		3600	IN	NS	v1.pcextreme.nl.
widodh.nl.		3600	IN	NS	v2.pcextreme.nl.
widodh.nl.		3600	IN	NS	v3.pcextreme.eu.
widodh.nl.		3600	IN	DS	44692 8 2 C9AABC5574CF0772A5AC75120DA56FE387BCF52DC8122B04EA7FC41B 8EFDF47C
widodh.nl.		3600	IN	RRSIG	DS 8 2 3600 20160804065721 20160721071001 14028 nl. DaT8QiwTBDPnUTNdM25EMQl4zjRjwxL52pinbv/8nsWdx39egO9eOktK IpS+ntcTv22JYdI4yLrT3HjbeoPMBnAGPKOCQ9hSfnogNFeZATnV9Pti zPrvqsdsqeGgRWhFWHVY52TuPxjkC5D1B0ZkYPtKpj3/pduY8PYtA5M4 6Ko=
;; Received 418 bytes from 2a00:1188:5::212#53(ns4.dns.nl) in 14 ms

secure.widodh.nl.	3600	IN	RRSIG	NSEC 8 3 3600 20160804000000 20160714000000 7725 widodh.nl. XWDj2A4iaEC3ZDxKaiRT/+qIrP7QZ+uuUHz/MYHh76cE2m0Kd4RGhK75 qErhKPOGzg0i+LJ1ePceRFHr0rFO1xPRyQlbAaqxOeeTARGXLLN4SPY5 Ze+qwA0RppIei0Fi2GXJ5+Lha/v57RcGpnLOGgz/NqU3HolTr0Fq+nnf 9j4=
secure.widodh.nl.	3600	IN	NSEC	soekris.widodh.nl. NS DS RRSIG NSEC
;; Received 255 bytes from 2001:14a0:300:4::53#53(v2.pcextreme.nl) in 13 ms

wido at crew:~$

v2.pcextreme.nl in this case does NOT respond with NS records delegating 'secure.widodh.nl' to the *auroradns* servers.

Turning on query logging showed me:

select min(ordername) from records where ordername > 'secure c' and domain_id=8131 and disabled=0 and ordername is not null
select ordername, name from records where ordername <= 'secure c' and domain_id=8131 and disabled=0 and ordername is not null order by 1 desc limit 1
SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and name='secure.widodh.nl' and domain_id=8131

This setup seems to think that because 'widodh.nl' exists on that setup it has to look locally for the NSEC before and after and not delegate it towards the other nameservers.

The last query yields three NS records and one DS record, just as it is supposed to do.

I am starting to think this is a issue with PowerDNS 3.4.9 and the MySQL backend. However, I'm not 100% sure as the NSEC part of DNSSEC is still not 100% clear to me.

Is there something I'm doing wrong here?

Thank you in advance,

Wido

[0]: https://doc.powerdns.com/md/authoritative/backend-remote/
[1]: https://doc.powerdns.com/md/authoritative/backend-remote/#getbeforeandafternamesabsolute


More information about the Pdns-dev mailing list