[Dnssec-deployment] nsec3 and wildcards
Chris Thompson
cet1 at cam.ac.uk
Thu Oct 14 14:11:38 EDT 2010
On Oct 13 2010, Dave Lawrence wrote:
>Getting some curious validation failures involving wildcards, and
>wondering what other people think of it.
>
>Look up www.saveaward.gov. It's synthesized from a wildcard, and its
>authorities return a response like this:
>
>; <<>> DiG 9.6.1-P1 <<>> +dnssec www.saveaward.gov
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46080
>;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
>;; WARNING: recursion requested but not available
>
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags: do; udp: 4096
>;; QUESTION SECTION:
>;www.saveaward.gov. IN A
>
>;; ANSWER SECTION:
>www.saveaward.gov. 3600 IN A 63.161.169.169
>www.saveaward.gov. 3600 IN RRSIG A 7 2 3600 20101016111237 20101013101237 21164 saveaward.gov. H7XgXuEI4Ce5aWuB4nwNPXV8gq7eczf99W/1nq/xwVojHQnhrmegE4zx fnSb+gf1Z+Un0GeY50Qb8lU3yr+vHkPQZexhvLtnGOqqYA7AArRnuyhd IifUgDP4klxhoZbiy5FqJlX3Hds3ylAAj6j7whND5pd+pEa3qIGi1VOg QN4=
>
>;; AUTHORITY SECTION:
>ha3gp6japsgg70he7333h93ts1hbaqoc.saveaward.gov. 3600 IN NSEC3 1 0 1 5CDA81EAA50D3B1C 07LCCIMIMP41GU8O6KQ10CCUS91VH56I A RRSIG
>ha3gp6japsgg70he7333h93ts1hbaqoc.saveaward.gov. 3600 IN RRSIG NSEC3 7 3 3600 20101016111237 20101013101237 21164 saveaward.gov. axPALWrF8zKtLMR/LAKe9x25WzMXm4mrGIyf9ddBdxs1LSgsCibuFgcn r0aTJ8GG3tJfoyGZGMRgH8GvPm+ArdkNCXs3NKpIFCdOHkZN/PpsWj0c 9qpBVvwt5VG2bsYMyOglKPN3WcQVxbeegyoGi8QmycSjq+LVm16gtxzl YSs=
>
>BIND 9 and Nominum's CNS fail to validate this answer. Unbound
>calls it valid.
What BIND version were you using here? I have no difficulty validating
www.saveaward.gov using 9.7.2-P2, while the responses from the authoritative
nameservers still look essentially as above (although the keys have changed).
--
Chris Thompson University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
More information about the Dnssec-deployment
mailing list