[dns-operations] .net returning glue and NSEC3 records?
marka at isc.org
Mon Nov 7 21:42:37 UTC 2011
In message <alpine.DEB.2.00.1111071544090.26001 at mail.xelerance.com>, Paul Woute
> On Mon, 7 Nov 2011, Lutz Donnerhacke wrote:
> >> We noticed that .net is returning glue for items it also proves via NSEC3
> >> that it does not exist?
> > Nope. They are returing the proof, that they do not know the DS entry.
> My query was for the NS record, not the DS record. While the same record migh
> proof the non-existence for NS and DS (see below) the query does not require
> this proof.
Which requires a referral to be answered and along with the referral you
get the DS record for the delegation or a proof that it does not exist.
> >> lanzarote-immobilie.net. NS dns5.sistema-dns.com.
> >> lanzarote-immobilie.net. NS dns6.sistema-dns.com.
> >> A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. NSEC3 1 1 0 - (
> >> A2003PRAPCHMS9L1A11GMVJ0JNP84A46 NS SOA RRSIG DNSKEY NSEC3PARAM)
> > That proofs, that they do not have "*.net DS" in their zone.
> I'm not sure if that's true. I do not understand what name that has
> is covering. It does not seem to proof the lack of wildecard?
> [paul at bofh paul]$ ldns-nsec3-hash -a 1 -t 0 \*.net.
> >> 6MVJ05SNCJH2809G6OGGGH7J921VNJ7T.net. 86400 IN NSEC3 1 1 0 - (
> >> 6OP5R34VLOJ3Q2K4NMIIGA7N5KBV10K5 NS DS RRSIG
> > That proofs, that they dow not have "lanzarote-immobilie.net DS".
> [paul at bofh paul]$ ldns-nsec3-hash -a 1 -t 0 lanzarote-immobilie.net.
> It seems to proof they have no NS record, and yes also proof they have
> no DS record. So my question remains, why is .net serving NS glue for
> domains that verifiable do not exist?
They arn't. They are proving that there isn't a secure delegation
or in zone data in that range. If flags was zero then it would be
proving that the delegation does not exist.
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> dns-jobs mailing list
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations