[Pdns-users] pre-signed zone with NSEC3 and opt-out flag mixed, PDNS broken

Klaus Darilion klaus.mailinglists at pernau.at
Tue Apr 1 15:47:15 UTC 2014 

I just learned that the flag in the NSEC3PARAM is always 0, regardless 
if opt-out is enabled or not. And the mixed NSEC3 records is not Bind's 
standard behavior.

Nevertheless I think PowerDNS will fail if the upstream name server 
mixes non-opt-out and opt-out.

Thanks
Klaus



On 01.04.2014 16:01, Klaus Darilion wrote:
> Hi!
>
> I use PowerDNS from git HEAD from 20140320 (somewhere between 3.3.1 and
> 3.4)
>
> For pre-signed zones, PDNS deletes the NSEC3 records on incoming zone
> transfer, and generates them when needed, and then they hopefully match
> the pre-signed zone.
>
> AFAIS there is a problem in detecting how the NSEC3 records should be
> generated. For example, Bind generates NSEC3 records - some with the
> opt-out flag set, some the the opt-out flag cleared, regardless of the
> configured NSEC3PARAM record.
>
> Eg the incoming NSEC3PARAM record is:
>
>    NSEC3PARAM 1 0 10 BEEF
>
> PDNS stored in the domainmetadata:
>
>    1 1 10 beef
>
> Thus, it seems that PDNS ignores the NSEC3PARAM record and retrieves the
> parameters from the NSEC records itself. But these record may have
> different parameters (the RFC allows a mixed operation).
>
> For opt-out NSEC3 records this works for PDNS, but not for non-opt-out
> NSEC3 records, e.g. here the response from the hidden master (Bind signer):
>
> I5G81FPSAIPRKI8OUCVBB662QN9F4AB1.example. 900 IN NSEC3 1 0 10 BEEF
> IFM20V814R4G440BGE4I249LE1CR05PD
> I5G81FPSAIPRKI8OUCVBB662QN9F4AB1.example. 900 IN RRSIG NSEC3 7 3 900
> 20140412103334 20140313094600 21170 example.
> kj1B4llSd3z1pGd6/kV+b8TvsO3QUWiZ++1ny2dBbKiIIOJ8o8ytImWg
> pUbu3tRiWz/+8e1szgbzIgiAikD0ZRjrMuAyDR7LeG+79pwD50dQNAW4
> XKLCAeoy9rcZgHJThcPQASdGBl/GbofjOdBv7qPhgXLp15mU7y8WGXRg HA4=
>
> Here the response from PowerDNS:
>
> i5g81fpsaiprki8oucvbb662qn9f4ab1.example. 900 IN NSEC3 1 1 10 BEEF
> IFM20V814R4G440BGE4I249LE1CR05PD
> i5g81fpsaiprki8oucvbb662qn9f4ab1.example. 900 IN RRSIG NSEC3 7 3 900
> 20140412103334 20140313094600 21170 example.
> kj1B4llSd3z1pGd6/kV+b8TvsO3QUWiZ++1ny2dBbKiIIOJ8o8ytImWg
> pUbu3tRiWz/+8e1szgbzIgiAikD0ZRjrMuAyDR7LeG+79pwD50dQNAW4
> XKLCAeoy9rcZgHJThcPQASdGBl/GbofjOdBv7qPhgXLp15mU7y8WGXRg HA4=
>
> The opt-out bit is incorrectly set and the RRSIG's signature does not
> match the NSEC3 record.
>
>
> I think, the current PDNS approach of dynamically generating NSEC3
> records for pre-signed zones is broken and error-prone.
>
>
> Shall I file a bug report, or is there a workaround?
>
> Thanks
> Klaus
>
>
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list