[Dnssec-deployment] Bind 9 validation failure on kocarkydavidek.cz (NSEC3 related)
olaf at NLnetLabs.nl
Wed Oct 19 14:52:24 EDT 2011
On Oct 19, 2011, at 6:44 PM, Mohan Parthasarathy wrote:
> On Tue, Oct 18, 2011 at 9:07 AM, Mark Andrews <marka at isc.org> wrote:
>> Named is looking for a closest encloser NSEC3 record and not finding
>> it. I have a patch to get the closest encloser from the RRSIG of
>> the A record and with that the response validates. The patch still
>> needs to be reviewed.
> There is a positive "A" response. Why is even looking at the NSEC3 record ?
Look at the sig.
xyx.kocarkydavidek.cz. 3600 IN A 18.104.22.168
xyx.kocarkydavidek.cz. 3600 IN RRSIG A 7 2 3600 20111114043207 (
The RRSIG has a label count of 2 which means it is matching a wildcard.
Now the validator has to prove that there is no direct match against the query name. in NSEC3 terms that means matching for the closest encloser. Since the validator knows the location of the wildcard by looking at the signature, it also that the closest encloser is at labelcount 2.
Olaf M. Kolkman NLnet Labs
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2210 bytes
Desc: not available
Url : http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20111019/5d9c7fae/attachment.bin
More information about the Dnssec-deployment