[Pdns-users] pre-signed zone with NSEC3 and opt-out flag mixed, PDNS broken

Klaus Darilion klaus.mailinglists at pernau.at
Tue Apr 1 14:01:46 UTC 2014 

Hi!

I use PowerDNS from git HEAD from 20140320 (somewhere between 3.3.1 and 3.4)

For pre-signed zones, PDNS deletes the NSEC3 records on incoming zone 
transfer, and generates them when needed, and then they hopefully match 
the pre-signed zone.

AFAIS there is a problem in detecting how the NSEC3 records should be 
generated. For example, Bind generates NSEC3 records - some with the 
opt-out flag set, some the the opt-out flag cleared, regardless of the 
configured NSEC3PARAM record.

Eg the incoming NSEC3PARAM record is:

   NSEC3PARAM 1 0 10 BEEF

PDNS stored in the domainmetadata:

   1 1 10 beef

Thus, it seems that PDNS ignores the NSEC3PARAM record and retrieves the 
parameters from the NSEC records itself. But these record may have 
different parameters (the RFC allows a mixed operation).

For opt-out NSEC3 records this works for PDNS, but not for non-opt-out 
NSEC3 records, e.g. here the response from the hidden master (Bind signer):

I5G81FPSAIPRKI8OUCVBB662QN9F4AB1.example. 900 IN NSEC3 1 0 10 BEEF 
IFM20V814R4G440BGE4I249LE1CR05PD
I5G81FPSAIPRKI8OUCVBB662QN9F4AB1.example. 900 IN RRSIG NSEC3 7 3 900 
20140412103334 20140313094600 21170 example. 
kj1B4llSd3z1pGd6/kV+b8TvsO3QUWiZ++1ny2dBbKiIIOJ8o8ytImWg 
pUbu3tRiWz/+8e1szgbzIgiAikD0ZRjrMuAyDR7LeG+79pwD50dQNAW4 
XKLCAeoy9rcZgHJThcPQASdGBl/GbofjOdBv7qPhgXLp15mU7y8WGXRg HA4=

Here the response from PowerDNS:

i5g81fpsaiprki8oucvbb662qn9f4ab1.example. 900 IN NSEC3 1 1 10 BEEF 
IFM20V814R4G440BGE4I249LE1CR05PD
i5g81fpsaiprki8oucvbb662qn9f4ab1.example. 900 IN RRSIG NSEC3 7 3 900 
20140412103334 20140313094600 21170 example. 
kj1B4llSd3z1pGd6/kV+b8TvsO3QUWiZ++1ny2dBbKiIIOJ8o8ytImWg 
pUbu3tRiWz/+8e1szgbzIgiAikD0ZRjrMuAyDR7LeG+79pwD50dQNAW4 
XKLCAeoy9rcZgHJThcPQASdGBl/GbofjOdBv7qPhgXLp15mU7y8WGXRg HA4=

The opt-out bit is incorrectly set and the RRSIG's signature does not 
match the NSEC3 record.


I think, the current PDNS approach of dynamically generating NSEC3 
records for pre-signed zones is broken and error-prone.


Shall I file a bug report, or is there a workaround?

Thanks
Klaus

More information about the Pdns-users mailing list