[Dnssec-deployment] nsec3 and wildcards

Chris Thompson cet1 at cam.ac.uk
Thu Oct 14 14:11:38 EDT 2010


On Oct 13 2010, Dave Lawrence wrote:

>Getting some curious validation failures involving wildcards, and
>wondering what other people think of it.
>
>Look up www.saveaward.gov.  It's synthesized from a wildcard, and its
>authorities return a response like this:
>
>; <<>> DiG 9.6.1-P1 <<>> +dnssec www.saveaward.gov
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46080
>;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
>;; WARNING: recursion requested but not available
>
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags: do; udp: 4096
>;; QUESTION SECTION:
>;www.saveaward.gov.             IN      A
>
>;; ANSWER SECTION:
>www.saveaward.gov.      3600    IN      A       63.161.169.169
>www.saveaward.gov.      3600    IN      RRSIG   A 7 2 3600 20101016111237 20101013101237 21164 saveaward.gov. H7XgXuEI4Ce5aWuB4nwNPXV8gq7eczf99W/1nq/xwVojHQnhrmegE4zx fnSb+gf1Z+Un0GeY50Qb8lU3yr+vHkPQZexhvLtnGOqqYA7AArRnuyhd IifUgDP4klxhoZbiy5FqJlX3Hds3ylAAj6j7whND5pd+pEa3qIGi1VOg QN4=
>
>;; AUTHORITY SECTION:
>ha3gp6japsgg70he7333h93ts1hbaqoc.saveaward.gov. 3600 IN NSEC3 1 0 1 5CDA81EAA50D3B1C 07LCCIMIMP41GU8O6KQ10CCUS91VH56I A RRSIG
>ha3gp6japsgg70he7333h93ts1hbaqoc.saveaward.gov. 3600 IN RRSIG NSEC3 7 3 3600 20101016111237 20101013101237 21164 saveaward.gov. axPALWrF8zKtLMR/LAKe9x25WzMXm4mrGIyf9ddBdxs1LSgsCibuFgcn r0aTJ8GG3tJfoyGZGMRgH8GvPm+ArdkNCXs3NKpIFCdOHkZN/PpsWj0c 9qpBVvwt5VG2bsYMyOglKPN3WcQVxbeegyoGi8QmycSjq+LVm16gtxzl YSs=
>
>BIND 9 and Nominum's CNS fail to validate this answer.  Unbound
>calls it valid.

What BIND version were you using here? I have no difficulty validating
www.saveaward.gov using 9.7.2-P2, while the responses from the authoritative
nameservers still look essentially as above (although the keys have changed).

-- 
Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.


More information about the Dnssec-deployment mailing list