[Pdns-users] nsec3 and empty non-terminals

Peter van Dijk peter.van.dijk at netherlabs.nl
Mon Oct 17 14:01:33 UTC 2011 

Hello Florian,

Just a note to say your email has not gone by without notice. I am working on expanding the PowerDNS tests, specifically in the DNSSEC area. I will make sure to cover the situation you are describing too. Thank you for your report :)

Kind regards,
Peter van Dijk

On Oct 3, 2011, at 17:01 , Florian Obser wrote:

> Hi,
> we are using powerdns 3 (pdns-static_3.0-1_amd64.deb on debian squeeze,
> mysql backend) as a hidden master / signer and serve the zones with nsd
> slaves (3.2.5-1.squeeze1).
> 
> Signing this zone:
> 
> nsec3.example.com.      86400   IN      SOA     a.ns.nsec3.example.com.
> hostmaster.adns2.de. 2011100204 39940 7200 604800 86400
> a.ns.nsec3.example.com. 86400   IN      A       217.31.84.231
> foo.nsec3.example.com.  86400   IN      A       127.0.0.1
> nsec3.example.com.      86400   IN      NS      a.ns.nsec3.example.com.
> 
> 
> results in:
> 
> $ ldns-verify-zone nsec3.example.com.signed.pdns
> Checking: nsec3.example.com.
> Checking: foo.nsec3.example.com.
> Checking: ns.nsec3.example.com.
> Error: there is no NSEC(3) for ns.nsec3.example.com.
> Checking: a.ns.nsec3.example.com.
> There were errors in the zone
> 
> Serving this zone with nsd and asking for ns.nsec3.example.com:
> 
> -------------------------------------------------------------
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28548
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;ns.nsec3.example.com.          IN      A
> 
> ;; AUTHORITY SECTION:
> nsec3.example.com.      86400   IN      SOA     a.ns.nsec3.example.com.
> hostmaster.adns2.de. 2011100204 39940 7200 604800 86400
> nsec3.example.com.      86400   IN      RRSIG   SOA 8 3 86400
> 20111013000000 20110929000000 5949 nsec3.example.com.
> PQjEEpfDDO2nEcObap+lpPAxhKRHnH02MYi99fUxRwVB4V3c2ZFAuEtd
> vlfMxAx7lnogfDmdLew4wT+UW4JddhtSI0poLf7Y9W7mMdeaw4zVdZql
> 7HIAp2QB+ku9LW+bKN+O2xTMRZ2PkfcPAOvK+2OwRSrBf2Dj9MaREyh2 I3g=
> -------------------------------------------------------------
> 
> Note that there are no nsec3 records in the answer.
> 
> Asking powerdns directly:
> 
> -------------------------------------------------------------
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38436
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 2800
> ;; QUESTION SECTION:
> ;ns.nsec3.example.com.          IN      A
> 
> ;; AUTHORITY SECTION:
> nsec3.example.com.      86400   IN      SOA     a.ns.nsec3.example.com.
> hostmaster.adns2.de. 2011100204 39940 7200 604800 86400
> nsec3.example.com.      86400   IN      RRSIG   SOA 8 3 86400
> 20111013000000 20110929000000 5949 nsec3.example.com.
> PQjEEpfDDO2nEcObap+lpPAxhKRHnH02MYi99fUxRwVB4V3c2ZFAuEtd
> vlfMxAx7lnogfDmdLew4wT+UW4JddhtSI0poLf7Y9W7mMdeaw4zVdZql
> 7HIAp2QB+ku9LW+bKN+O2xTMRZ2PkfcPAOvK+2OwRSrBf2Dj9MaREyh2 I3g=
> 8sgphhqpl2lueminpbvobar8gcue7rbk.nsec3.example.com. 86400 IN NSEC3 1 1
> 10 08A80B76 BLPBV7OT65VBPSBI1QU86M3FH160VLIV NS SOA RRSIG DNSKEY NSEC3PARAM
> 8sgphhqpl2lueminpbvobar8gcue7rbk.nsec3.example.com. 86400 IN RRSIG NSEC3
> 8 4 86400 20111013000000 20110929000000 5949 nsec3.example.com.
> Ou7F28+3YuTu+BVLpPGv2oNJbTqDaxgu8KVbWEFqrp1o+xAKlOWhM0z9
> aOJYMDzBtARUWYmLRrWN2iX2zsKEMsdI7EM9E6CKVJOUY7hw2EW40DOK
> 8eeUieqIN/9lpnwQjVCRc90qgLfvgH95iXBQ5yYVqrxLonYMjBMspFN9 86Y=
> blpbv7ot65vbpsbi1qu86m3fh160vliv.nsec3.example.com. 86400 IN NSEC3 1 1
> 10 08A80B76 33IRO6M8U5MK1PIIHEDO3GJSD4QO53BR A RRSIG
> blpbv7ot65vbpsbi1qu86m3fh160vliv.nsec3.example.com. 86400 IN RRSIG NSEC3
> 8 4 86400 20111013000000 20110929000000 5949 nsec3.example.com.
> cWtYNq8TKe0GdgH1ZQRs9Kl+Y0LFZY16WS8/dCzVWi3mONP7bFbdfnqE
> UksrBxf84VW6JO81Jz85WJheFmEFLkTo8fHw3whyuQ2p7/RIg3pvNxMM
> 0+i1nAxw7ZZKLtug1BERXUNe46R9/OZuz9aagohVDnhqdYg6V5b055yN GXU=
> -------------------------------------------------------------
> 
> It looks like powerdns proves the non-existence of ns.nsec3.example.com
> from foo.nsec3.example.com and a,ns.nsec3.example.com (the same as in
> the NSEC case, which works fine in nsd fwiw) while nsd needs an explicit
> NSEC3 record for this. Signing the zone with ldns you get this
> additional NSEC3 record:
> 
> bc3qchshiisvurl7bleco2osgj3kdp4p.nsec3.example.com.    86400   IN
> NSEC3   1 1 10 08a80b76  blpbv7ot65vbpsbi1qu86m3fh160vliv ; flags: optout
> 
> which I strongly suspect to be ns.nsec3.example.com.
> 
> RFC 5155 has this to say (7.1.  Zone Signing, page 16)
>   o  Each empty non-terminal MUST have a corresponding NSEC3 RR, unless
>      the empty non-terminal is only derived from an insecure delegation
>      covered by an Opt-Out NSEC3 RR.
> 
> As a workaround I insert a TXT record for every empty non-terminal
> before handing the zone over to powerdns for signing - this seems to be
> working reasonably well.
> 
> Thanks,
> Florian
> 
> -- 
> I remember yesterday, but the memory is in my head now.
> Was yesterday real? Or is it only the memory that is real?
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list