[Pdns-users] Additional NSEC3-Record in Response - DNSSEC Validation fails

bert hubert bert.hubert at netherlabs.nl
Mon Aug 22 14:21:15 UTC 2011


On Mon, Aug 22, 2011 at 03:41:57PM +0200, Michael Braunoeder wrote:
> I did some more DNSSEC-testing and found another bug:

I was starting to worry that too little bugs were being found ;-)

> When querying for an undefined records, PDNS adds an additional
> NSEC3-Record into the response and the validation of the response
> failes.

Also, the NSEC3 records don't match. The one PowerDNS includes is different
from the one BIND emitted.

> Response from Bind:
> ;; AUTHORITY SECTION:
> nsec3test.at.           600     IN      SOA     ns2.at43.at. mib.nic.at. 3 1200 3600 604800 600
> O8IVN054N94M5JUQ5H7G0I882UAHH62U.nsec3test.at. 600 IN NSEC3 1 1 10 - NCH5FA1SAKRN1LLO8EKOK28S80L05EQE NS SOA RRSIG DNSKEY NSEC3PARAM

> The same query against the PDNS:
> 
> ;; AUTHORITY SECTION:
> nsec3test.at.           600     IN      SOA     ns2.at43.at. mib.nic.at. 3 86400 3600 604800 600
> o8ivn054n94m5juq5h7g0i882uahh62u.nsec3test.at. 0 IN NSEC3 1 1 10 - 66R3IIGV513QGD458A2S11T0MH3E6IET NS SOA RRSIG DNSKEY NSEC3PARAM

This one is different from the BIND one.

> 76nqadco30ibl06a9vmdvu7r31l6r3oi.nsec3test.at. 600 IN NSEC3 1 1 10 - NCH5FA1SAKRN1LLO8EKOK28S80L05EQE RRSIG

Note that the TTL of the additional o8ivn one is wrong too.

> Can you please have a look?

As a starting point, could you supply your nsec3test.at zone? That would
help me reproduce your exact issue.

Thanks.



More information about the Pdns-users mailing list