[Pdns-dev] NSEC and zone delegation with PowerDNS 3.4.9 and MySQL backend
Peter van Dijk
peter.van.dijk at powerdns.com
Thu Jul 28 12:55:17 UTC 2016
On 26 Jul 2016, at 10:22, Wido den Hollander wrote:
> wido at crew:~$ dig -6 +trace NSEC c.secure.widodh.nl
> ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> -6 +trace NSEC
> ;; global options: +cmd
> widodh.nl. 3600 IN NS v1.pcextreme.nl.
> widodh.nl. 3600 IN NS v2.pcextreme.nl.
> widodh.nl. 3600 IN NS v3.pcextreme.eu.
> widodh.nl. 3600 IN DS 44692 8 2
> C9AABC5574CF0772A5AC75120DA56FE387BCF52DC8122B04EA7FC41B 8EFDF47C
> widodh.nl. 3600 IN RRSIG DS 8 2 3600 20160804065721 20160721071001
> 14028 nl. DaT8QiwTBDPnUTNdM25EMQl4zjRjwxL52pinbv/8nsWdx39egO9eOktK
> zPrvqsdsqeGgRWhFWHVY52TuPxjkC5D1B0ZkYPtKpj3/pduY8PYtA5M4 6Ko=
> ;; Received 418 bytes from 2a00:1188:5::212#53(ns4.dns.nl) in 14 ms
> secure.widodh.nl. 3600 IN RRSIG NSEC 8 3 3600 20160804000000
> 20160714000000 7725 widodh.nl.
> Ze+qwA0RppIei0Fi2GXJ5+Lha/v57RcGpnLOGgz/NqU3HolTr0Fq+nnf 9j4=
> secure.widodh.nl. 3600 IN NSEC soekris.widodh.nl. NS DS RRSIG NSEC
> ;; Received 255 bytes from 2001:14a0:300:4::53#53(v2.pcextreme.nl) in
> 13 ms
> wido at crew:~$
> v2.pcextreme.nl in this case does NOT respond with NS records
> delegating 'secure.widodh.nl' to the *auroradns* servers.
That’s a bug!
> Turning on query logging showed me:
> select min(ordername) from records where ordername > 'secure c' and
> domain_id=8131 and disabled=0 and ordername is not null
> select ordername, name from records where ordername <= 'secure c' and
> domain_id=8131 and disabled=0 and ordername is not null order by 1
> desc limit 1
> SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records
> WHERE disabled=0 and name='secure.widodh.nl' and domain_id=8131
> This setup seems to think that because 'widodh.nl' exists on that
> setup it has to look locally for the NSEC before and after and not
> delegate it towards the other nameservers.
That’s not exactly what’s going wrong, but yes, it is broken.
> The last query yields three NS records and one DS record, just as it
> is supposed to do.
And indeed that is what it should be giving you, like with any other
type you query (except DS which is supposed to be special).
> I am starting to think this is a issue with PowerDNS 3.4.9 and the
> MySQL backend. However, I'm not 100% sure as the NSEC part of DNSSEC
> is still not 100% clear to me.
Yes, this is an issue in PowerDNS. I have also confirmed it on
4.0.x/master. It is not specific to MySQL, it is broken the same way
with every backend (including non-SQL ones). Can you post your
wonderfully extensive report at
https://github.com/PowerDNS/pdns/issues/new ? Thanks!
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
More information about the Pdns-dev