[Dnssec-deployment] nsec3 and wildcards

Dave Lawrence tale at dd.org
Wed Oct 13 18:00:17 EDT 2010


Getting some curious validation failures involving wildcards, and
wondering what other people think of it.

Look up www.saveaward.gov.  It's synthesized from a wildcard, and its
authorities return a response like this:

; <<>> DiG 9.6.1-P1 <<>> +dnssec www.saveaward.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46080
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.saveaward.gov.             IN      A

;; ANSWER SECTION:
www.saveaward.gov.      3600    IN      A       63.161.169.169
www.saveaward.gov.      3600    IN      RRSIG   A 7 2 3600 20101016111237 20101013101237 21164 saveaward.gov. H7XgXuEI4Ce5aWuB4nwNPXV8gq7eczf99W/1nq/xwVojHQnhrmegE4zx fnSb+gf1Z+Un0GeY50Qb8lU3yr+vHkPQZexhvLtnGOqqYA7AArRnuyhd IifUgDP4klxhoZbiy5FqJlX3Hds3ylAAj6j7whND5pd+pEa3qIGi1VOg QN4=

;; AUTHORITY SECTION:
ha3gp6japsgg70he7333h93ts1hbaqoc.saveaward.gov. 3600 IN NSEC3 1 0 1 5CDA81EAA50D3B1C 07LCCIMIMP41GU8O6KQ10CCUS91VH56I A RRSIG
ha3gp6japsgg70he7333h93ts1hbaqoc.saveaward.gov. 3600 IN RRSIG NSEC3 7 3 3600 20101016111237 20101013101237 21164 saveaward.gov. axPALWrF8zKtLMR/LAKe9x25WzMXm4mrGIyf9ddBdxs1LSgsCibuFgcn r0aTJ8GG3tJfoyGZGMRgH8GvPm+ArdkNCXs3NKpIFCdOHkZN/PpsWj0c 9qpBVvwt5VG2bsYMyOglKPN3WcQVxbeegyoGi8QmycSjq+LVm16gtxzl YSs=

BIND 9 and Nominum's CNS fail to validate this answer.  Unbound
calls it valid.

BIND (and presumably CNS, but I'm not sure on the latter) is expecting
an answer like the following, which has an nsec3 for the closest
encloser in addition to the nsec3 for the next closer name.  It
declares this answer valid.

; <<>> DiG 9.6.1-P1 <<>> +dnssec www.saveaward.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54472
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.saveaward.gov.             IN      A

;; ANSWER SECTION:
www.saveaward.gov.      3600    IN      A       63.161.169.169
www.saveaward.gov.      3600    IN      RRSIG   A 7 2 3600 20101016113050 20101013103050 43484 saveaward.gov. HABbv0FzGE8G96zE9vUxo12u72i9Y8nUC7u8uzWU+Y6ztFHJjVpBfBnY f6CGvbho5Y6L1/rEy/lE5F2AyBji6NuMAuQJjId/hISLxwDVEBx14yLG L92LQ8nGfSmCOxNbA6VsqJqRY+tfGx0Y/9KNRNb4KvxrmYyey/MYRNNE kpU=

;; AUTHORITY SECTION:
42t9pld8d9cqdik9gndbn1vb1511imnr.saveaward.gov. 3600 IN NSEC3 1 0 1 E05C0C77C956BA1F 7F663410M9R63GJJKQ4RQ7GDUD9R893V A NS SOA RRSIG DNSKEY NSEC3PARAM
42t9pld8d9cqdik9gndbn1vb1511imnr.saveaward.gov. 3600 IN RRSIG NSEC3 7 3 3600 20101016113050 20101013103050 43484 saveaward.gov. eTNKTPTBj3lo53riBzyFa++8KWY4C61gTni8c/uUu0d4OXdBeoK6U5AH uSalPvTYEE7A09y6hyrivvniVgwOPdp/QOOIJYZcy7JKjgHD8zwwSLD4 xLqScnaq2irbTX+P0HQd6GsP7nH9Hkf94F6Mo8DebRm9+o+rlGAC+VO+ 8Gk=
7f663410m9r63gjjkq4rq7gdud9r893v.saveaward.gov. 3600 IN NSEC3 1 0 1 E05C0C77C956BA1F 42T9PLD8D9CQDIK9GNDBN1VB1511IMNR A RRSIG
7f663410m9r63gjjkq4rq7gdud9r893v.saveaward.gov. 3600 IN RRSIG NSEC3 7 3 3600 20101016113050 20101013103050 43484 saveaward.gov. NsUsVGgl7TYMGZBGpMZ2DwqlRITZHNO64b3MPTrSa2fORkHwm0ylqoaO 9pmQ6msrubsF5FT6Lg1V4j3tU1c3MXRlQb+WXL4VNGXsXTXesnOfdBTZ SK/nUV8o1GxRBsvz8oj8kBc3PviSRdhBq21xWrYFgJAENs6t9riB/7SX 6ns=

According to my reading of RFC 5155 7.2.6, the additional nsec3 is not
needed:

   To this end, the NSEC3 RR that covers the "next closer" name of the
   immediate ancestor of the wildcard MUST be returned.  It is not
   necessary to return an NSEC3 RR that matches the closest encloser, as
   the existence of this closest encloser is proven by the presence of
   the expanded wildcard in the response.

Has something superseded this?  Are BIND/CNS being too thorough, or
Unbound and the authority not thorough enough?


More information about the Dnssec-deployment mailing list