[dns-operations] .net returning glue and NSEC3 records?

Blacka, David davidb at verisign.com
Mon Nov 7 20:39:05 UTC 2011 

On Nov 7, 2011, at 2:40 PM, Paul Wouters wrote:

> 
> We noticed that .net is returning glue for items it also proves via NSEC3 that
> it does not exist?
> 

.net is using NSEC3 opt-out (note the flag set in the NSEC3 RRs).  Thus, the NSEC3 RRs aren't proving that the delegation doesn't exist, just that a secure delegation doesn't exist.  See RFC 5155, sections 3.1.2.1, 6 and 8.9.


> whois redirects to registrar which then fails, so I think the domain is valid, but
> have no proof.
> 
> $ dig +dnssec +cd ns lanzarote-immobilie.net. @a.gtld-servers.net.
> 
> ; <<>> DiG 9.7.0-P1 <<>> +dnssec +cd ns lanzarote-immobilie.net. @a.gtld-servers.net.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26976
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 3
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;lanzarote-immobilie.net. IN NS
> 
> ;; AUTHORITY SECTION:
> lanzarote-immobilie.net. 172800	IN NS dns5.sistema-dns.com.
> lanzarote-immobilie.net. 172800	IN NS dns6.sistema-dns.com.
> A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN NSEC3 1 1 0 - A2003PRAPCHMS9L1A11GMVJ0JNP84A46 NS SOA RRSIG DNSKEY NSEC3PARAM
> A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN RRSIG NSEC3 8 2 86400 20111114104524 (
> 				20111107093524 41045 net.
> 				hdqXwxaYTRkEK7xTjPrQnLwkZ3CNCm6qbwsMBOSKcjjT
> 				RIyYWCe8pJJ5FE3TcqClarmHSaLsJH84OX6bJs5u/jTN
> 				CmDryzZs3YXrm7XEi+ZX7h2xGEgDwNTp8/CdM4+Y6nMa
> 				+Xdx+nIR+F89DHTBJ+5nCo026u3D9Dv2QF6LpDU= )
> 6MVJ05SNCJH2809G6OGGGH7J921VNJ7T.net. 86400 IN NSEC3 1 1 0 - 6OP5R34VLOJ3Q2K4NMIIGA7N5KBV10K5 NS DS RRSIG
> 6MVJ05SNCJH2809G6OGGGH7J921VNJ7T.net. 86400 IN RRSIG NSEC3 8 2 86400 20111114172404 (
> 				20111107161404 41045 net.
> 				JRDa3MJGxdnz1lFuFXWzITsONe74g/hltZWfpXxWlgQQ
> 				KwJVTM2an4r9YC0ujQjzCMvXXycqvbZW2n4OM985LNCE
> 				7qrYlGrS0AXZISO1Lp/4r0WRkEvsBKE/Mk71b9io1uCL
> 				9KKi7EeLf5WU8MbnXsLv/cFq8ZH+pSiq5IjcK2Y= )
> 
> ;; ADDITIONAL SECTION:
> dns5.sistema-dns.com.	172800 IN A 93.93.112.85
> dns6.sistema-dns.com.	172800 IN A 93.93.112.85
> 
> ;; Query time: 154 msec
> ;; SERVER: 2001:503:a83e::2:30#53(2001:503:a83e::2:30)
> ;; WHEN: Mon Nov  7 14:37:14 2011
> ;; MSG SIZE  rcvd: 622

--
David Blacka                          <davidb at verisign.com> 
Principal Engineer      Verisign Infrastructure Engineering

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4327 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20111107/cad50ed9/attachment.bin>

More information about the dns-operations mailing list