[Pdns-users] Additional NSEC3-Record in Response - DNSSEC Validation fails
bert hubert
bert.hubert at netherlabs.nl
Mon Aug 22 14:21:15 UTC 2011
On Mon, Aug 22, 2011 at 03:41:57PM +0200, Michael Braunoeder wrote:
> I did some more DNSSEC-testing and found another bug:
I was starting to worry that too little bugs were being found ;-)
> When querying for an undefined records, PDNS adds an additional
> NSEC3-Record into the response and the validation of the response
> failes.
Also, the NSEC3 records don't match. The one PowerDNS includes is different
from the one BIND emitted.
> Response from Bind:
> ;; AUTHORITY SECTION:
> nsec3test.at. 600 IN SOA ns2.at43.at. mib.nic.at. 3 1200 3600 604800 600
> O8IVN054N94M5JUQ5H7G0I882UAHH62U.nsec3test.at. 600 IN NSEC3 1 1 10 - NCH5FA1SAKRN1LLO8EKOK28S80L05EQE NS SOA RRSIG DNSKEY NSEC3PARAM
> The same query against the PDNS:
>
> ;; AUTHORITY SECTION:
> nsec3test.at. 600 IN SOA ns2.at43.at. mib.nic.at. 3 86400 3600 604800 600
> o8ivn054n94m5juq5h7g0i882uahh62u.nsec3test.at. 0 IN NSEC3 1 1 10 - 66R3IIGV513QGD458A2S11T0MH3E6IET NS SOA RRSIG DNSKEY NSEC3PARAM
This one is different from the BIND one.
> 76nqadco30ibl06a9vmdvu7r31l6r3oi.nsec3test.at. 600 IN NSEC3 1 1 10 - NCH5FA1SAKRN1LLO8EKOK28S80L05EQE RRSIG
Note that the TTL of the additional o8ivn one is wrong too.
> Can you please have a look?
As a starting point, could you supply your nsec3test.at zone? That would
help me reproduce your exact issue.
Thanks.
More information about the Pdns-users
mailing list