[dns-operations] DNSSEC Validation Errors with Wildcards

Mark Andrews marka at isc.org
Fri Oct 17 06:12:38 UTC 2014


In message <5440AF90.5050805 at birkenwald.de>, Bernhard Schmidt writes:
> Hi,
> 
> > The correct answer is NXDOMAIN based on the NSEC record which says
> > there is no records between _tcp.vdlc.nl and _autodiscover._tcp.vdlc.nl.
> > i.e. there is no wildcard record at *._tcp.vdlc.nl.
> > 
> > The problem is a wildcard processing server error.  It is generating
> > the wrong response code.  It is failing to account for the existence
> > of _tcp.vdlc.nl.
> 
> So ... a signing error, right?

No.  The server is generating the wrong answer.  The records
themselves are correctly signed.

These two ownernames exist in the zone.

	*.vdlc.nl
	_autodiscover._tcp.vdlc.nl

When you ask for _25._tcp.vdlc the wildcard record does NOT match
if the server is doing the correct thing and the response should
be NXDOMAIN.

The servers however are matching against *.vdlc.nl even though they
are not supposed to genenating a NOERROR NODATA response which is
then being rejected.

If one was to replace the server with one that processes wildcard
records correctly you wouldn't need to re-sign the zone.

> Is there any software(-version) known to have this misbehaviour? I will
> try to contact the operators of the broken zones.

Just tell them to contact their nameserver vendor for a fix.  Until
they get that fix they should remove the DS records for their zone
so that the bad answers stop causing operational problems for
everyone else.  Without the DS records validators will treat the
zone as insecure.  When they get their nameservers fixed they
should re-instate the DS records.

Mark

> Bernhard
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list