[dns-operations] .net returning glue and NSEC3 records?

Olafur Gudmundsson ogud at ogud.com
Mon Nov 7 21:28:47 UTC 2011

On 11/7/2011 3:55 PM, Paul Wouters wrote:
> On Mon, 7 Nov 2011, Lutz Donnerhacke wrote:
>>> We noticed that .net is returning glue for items it also proves via
>>> NSEC3
>>> that it does not exist?
>> Nope. They are returing the proof, that they do not know the DS entry.
> My query was for the NS record, not the DS record. While the same record
> might
> proof the non-existence for NS and DS (see below) the query does not
> require
> this proof.

DNSSEC/RFC403x requires that referral include a DS or NSEC proving that 
DS does not exist in the authority section.
NSEC3 w/o opt-in is identical in requirement to NSEC
NECE3 with Opt-in requires that the covering NSEC3 record be supplied to 
prove that
	a) the name does not have DS (exact match)
	b) The name is in an opt-in span. (no match i.e. name in opt-out span)

>>> lanzarote-immobilie.net. NS dns5.sistema-dns.com.
>>> lanzarote-immobilie.net. NS dns6.sistema-dns.com.
>>> A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. NSEC3 1 1 0 - (
>> That proofs, that they do not have "*.net DS" in their zone.
See the string "1 1 0" that is "Hashalg=1, Flags=1, Iterations=0"
Flags=1 ==> Opt-in span.
Thus this NSEC3 record is here in its role as OPT-out proof.

> I'm not sure if that's true. I do not understand what name that has
> is covering. It does not seem to proof the lack of wildecard?
> [paul at bofh paul]$ ldns-nsec3-hash -a 1 -t 0 \*.net.
> eeq8us1khjgl2lukhn4ojdcfmknl8etf.
>>> 6MVJ05SNCJH2809G6OGGGH7J921VNJ7T.net. 86400 IN NSEC3 1 1 0 - (
>> That proofs, that they dow not have "lanzarote-immobilie.net DS".
> [paul at bofh paul]$ ldns-nsec3-hash -a 1 -t 0 lanzarote-immobilie.net.
> 6obcru9hrlja0tvfoc2joa55ass7obvu.
> It seems to proof they have no NS record, and yes also proof they have
> no DS record. So my question remains, why is .net serving NS glue for
> domains that verifiable do not exist?
> Paul

More information about the dns-operations mailing list