[dns-operations] NS answer inconsistency between implementations for delegated zone

Lutz Donnerhacke lutz at iks-jena.de
Fri Mar 16 17:16:39 UTC 2012 

* Tony Finch wrote:
> Sure. Zone cuts are very subtle :-) The basic principle is that the parent
> zone is not authoritative for any data at or below the cut, except for the
> DNSSEC records (DS + RRSIG, NSEC + RRSIG).

Be careful: The parent zone is responsible for DS (+ RRSIG).
NSEC (+ RRSIG) exists authoritivly on both sites of the zone cut.

For example quering for an insecure delegation shows both kinds of NSEC.

;; AUTHORITY SECTION:

; non-dnssec claim of nonexistance
com.br.			SOA	a.dns.br. hostmaster.registro.br. (
				2012031666 ; serial
				1800       ; refresh (30 minutes)
				900        ; retry (15 minutes)
				604800     ; expire (1 week)
				900        ; minimum (15 minutes)
				)
com.br.			RRSIG	SOA 7 2 172800 20120323163000 (
				20120316163000 7461 com.br.
				HRKmhQCUx2P28l0y5EmeIxtYi1+uJeI0qQjYPCZBgpEV
				z9Wk9oQn0X/KHqCQ4X3JdRzCJYuC7lcY4hWBLqtQLHps
				K8nsgsW++BpkiTjjw/3yoBGsr2snkw67b4bKM3hRvJVq
				GlU54/c2WoL+iKlkKuy5R9tVk8iyeDKl4j6zy8M= )

; proof of nonexistance of the DS entry (parent side of the delegation)
20e6o8ev0ngfj3nq9c84pq3cd98ltuna.com.br. NSEC3 1 1 10 B6B56D69FD3D517B6F1F (
				20EO548SBIDT8BV27T05E8I792PTAUCE
				NS DS RRSIG )
20e6o8ev0ngfj3nq9c84pq3cd98ltuna.com.br. RRSIG NSEC3 7 3 900 20120323100000 (
				20120316100000 7461 com.br.
				N8rihTxtzTh9cw1AqgvvxYCBIRYdbxHuE7NP3zIDmTDM
				6aQQTHmnMcbNu62eWjk+SNDigMaTP5ZEb/DWixUMRzkX
				3Gwc8sChVGKFtiQq1Oxz9YVHSOFEwGfXFdnj1CAAkjKb
				Lx+D4XwPGsH5VaTxcxmzfKjUl429GpNbZTgX4JY= )

; proof of nonexistance of the * entry (child side of com.br)
a3p275h0heofpluvkn8u05u4m31lpesp.com.br. NSEC3 1 1 10 B6B56D69FD3D517B6F1F (
				A3P9CUSOD0Q7LR0QJKLQV4CNCCL8P3N8
				NS SOA RRSIG DNSKEY NSEC3PARAM )
a3p275h0heofpluvkn8u05u4m31lpesp.com.br. RRSIG NSEC3 7 3 900 20120323100000 (
				20120316100000 7461 com.br.
				FUYjLH8X/yGE2VaZMGd7wmWSDuMnb4mUeXEtkgzyAIuH
				SRtBan9PhusnGEpSndwFg2iUd9xxrDuwcbb/7csJOnou
				zjvYLZkFA5KSfY0tLzHfIb0xNhp3SxIi2s1xT1vVDOts
				OpilNgcSJH69791NpArZJsmlCfSh4LRvC8G8l70= )

More information about the dns-operations mailing list