[Pdns-users] Additional NSEC3-Record in Response - DNSSEC Validation fails

Michael Braunoeder mib at nic.at
Mon Aug 22 13:41:57 UTC 2011 

Hi,

I did some more DNSSEC-testing and found another bug:

My setup looks like this:

Bind accting as Master server, serving a presigned zone.
PDNS 3.0 accting as Slave server, PRESIGNED=1 and NSEC3PARAM is set in 
Domainmetatable.

When querying for an undefined records, PDNS adds an additional 
NSEC3-Record into the response and the validation of the response failes.

Response from Bind:

;; QUESTION SECTION:
;notfound.nsec3test.at.         IN      A

;; AUTHORITY SECTION:
nsec3test.at.           600     IN      SOA     ns2.at43.at. mib.nic.at. 
3 1200 3600 604800 600
nsec3test.at.           600     IN      RRSIG   SOA 7 2 600 
20110921115504 20110822115504 54530 nsec3test.at. 
CAljGUcw6e2pHiajLF+T0uCNfBrrtF2ZleDKrPe8gWiBOSmrhGPDGRVQ 
NUF5CX07AkBvG1pfoe5IKB4sIri0Un9C7MGznKNgc/1xBnmWBFCYzILS 
8SkFzyyNalYYpvNnhO7q+MpE6kciv3soZbZJ+fl8Y2xibvvvYswO+vPy 0l4=
O8IVN054N94M5JUQ5H7G0I882UAHH62U.nsec3test.at. 600 IN NSEC3 1 1 10 - 
NCH5FA1SAKRN1LLO8EKOK28S80L05EQE NS SOA RRSIG DNSKEY NSEC3PARAM
O8IVN054N94M5JUQ5H7G0I882UAHH62U.nsec3test.at. 600 IN RRSIG NSEC3 7 3 
600 20110921115504 20110822115504 54530 nsec3test.at. 
Z5lAmFDBRLYO2J/l2o1CwYfcuuvSixR26B5GIPTDaNvxRdHkVIJEHctQ 
Hc+4xie3POEed4eZBuYF2mqCCaF0GC5d0D5Y8sJui7Vu3oGxmwWO49vm 
e0WnNL4WiXWUzd0hOEobK/XJn6ObHLscbR5SmupdIdpA5DaJZ1w1VPQp faw=


The same query against the PDNS:

;; QUESTION SECTION:
;notfound.nsec3test.at.         IN      A

;; AUTHORITY SECTION:
nsec3test.at.           600     IN      SOA     ns2.at43.at. mib.nic.at. 
3 86400 3600 604800 600
nsec3test.at.           600     IN      RRSIG   SOA 7 2 600 
20110921115504 20110822115504 54530 nsec3test.at. 
CAljGUcw6e2pHiajLF+T0uCNfBrrtF2ZleDKrPe8gWiBOSmrhGPDGRVQ 
NUF5CX07AkBvG1pfoe5IKB4sIri0Un9C7MGznKNgc/1xBnmWBFCYzILS 
8SkFzyyNalYYpvNnhO7q+MpE6kciv3soZbZJ+fl8Y2xibvvvYswO+vPy 0l4=
o8ivn054n94m5juq5h7g0i882uahh62u.nsec3test.at. 0 IN NSEC3 1 1 10 - 
66R3IIGV513QGD458A2S11T0MH3E6IET NS SOA RRSIG DNSKEY NSEC3PARAM
o8ivn054n94m5juq5h7g0i882uahh62u.nsec3test.at. 600 IN RRSIG NSEC3 7 3 
600 20110921115504 20110822115504 54530 nsec3test.at. 
Z5lAmFDBRLYO2J/l2o1CwYfcuuvSixR26B5GIPTDaNvxRdHkVIJEHctQ 
Hc+4xie3POEed4eZBuYF2mqCCaF0GC5d0D5Y8sJui7Vu3oGxmwWO49vm 
e0WnNL4WiXWUzd0hOEobK/XJn6ObHLscbR5SmupdIdpA5DaJZ1w1VPQp faw=
76nqadco30ibl06a9vmdvu7r31l6r3oi.nsec3test.at. 600 IN NSEC3 1 1 10 - 
NCH5FA1SAKRN1LLO8EKOK28S80L05EQE RRSIG


The last line is the additional NSEC3-Record.

Can you please have a look?

Thanks in advance and Best,
Michael

More information about the Pdns-users mailing list