[dns-operations] .net returning glue and NSEC3 records?

Paul Wouters paul at xelerance.com
Mon Nov 7 20:55:07 UTC 2011


On Mon, 7 Nov 2011, Lutz Donnerhacke wrote:

>> We noticed that .net is returning glue for items it also proves via NSEC3
>> that it does not exist?
>
> Nope. They are returing the proof, that they do not know the DS entry.

My query was for the NS record, not the DS record. While the same record might
proof the non-existence for NS and DS (see below) the query does not require
this proof.

>> lanzarote-immobilie.net. NS dns5.sistema-dns.com.
>> lanzarote-immobilie.net. NS dns6.sistema-dns.com.
>> A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. NSEC3 1 1 0 - (
>>   A2003PRAPCHMS9L1A11GMVJ0JNP84A46 NS SOA RRSIG DNSKEY NSEC3PARAM)
>
> That proofs, that they do not have "*.net DS" in their zone.

I'm not sure if that's true. I do not understand what name that has
is covering. It does not seem to proof the lack of wildecard?

[paul at bofh paul]$ ldns-nsec3-hash -a 1 -t 0  \*.net.
eeq8us1khjgl2lukhn4ojdcfmknl8etf.

>> 6MVJ05SNCJH2809G6OGGGH7J921VNJ7T.net. 86400 IN NSEC3 1 1 0 - (
>>    6OP5R34VLOJ3Q2K4NMIIGA7N5KBV10K5 NS DS RRSIG
>
> That proofs, that they dow not have "lanzarote-immobilie.net DS".

[paul at bofh paul]$ ldns-nsec3-hash -a 1 -t 0  lanzarote-immobilie.net.
6obcru9hrlja0tvfoc2joa55ass7obvu.

It seems to proof they have no NS record, and yes also proof they have
no DS record. So my question remains, why is .net serving NS glue for
domains that verifiable do not exist?

Paul



More information about the dns-operations mailing list