[dns-operations] coop. provides broken NSEC3 proofs of non-existence

Stephane Bortzmeyer bortzmeyer at nic.fr
Sun Oct 22 12:42:26 UTC 2017


On Sun, Oct 22, 2017 at 03:22:25PM +0400,
 Petr Špaček <petr.spacek at nic.cz> wrote 
 a message of 12 lines which said:

> for those who are debugging weird failures in DNSSEC validation, please
> note that NS for coop. TLD provide broken proofs of non-existence.

For those who want to experiment, sacfood.coop works,
southernstates.coop or ouvaton.coop do not (a second NSEC3 is
returned, wrongly proving the non-existence).

http://dnsviz.net/d/sacfood.coop/WeyH2g/dnssec/
http://dnsviz.net/d/ouvaton.coop/WexxZg/dnssec/
http://dnsviz.net/d/southernstates.coop/WeyJOQ/dnssec/

VIO232PS9SJ167JOCRD1I08DEQ3SABEJ is the hash of the apex.

Working domain (hash is 0AS8MC72C5R0NFV3FJ4B7EU9RDL58AKM)

vio232ps9sj167jocrd1i08deq3sabej.coop. 1867 IN NSEC3 1 1 1 - (
				2390B8INJROI3KN1N0Q11J71FVJ03OAO
				NS SOA RRSIG DNSKEY NSEC3PARAM )

(Just the closest encloser, RFC 5155, section 7.2.4.)

Non-working domain (hash is LN659PF5CJUNKFLV9C1GBS545RLE711K)

vio232ps9sj167jocrd1i08deq3sabej.coop. 1731 IN NSEC3 1 1 1 - (
				2390B8INJROI3KN1N0Q11J71FVJ03OAO
				NS SOA RRSIG DNSKEY NSEC3PARAM )
2390b8injroi3kn1n0q11j71fvj03oao.coop. 1731 IN NSEC3 1 1 1 - (
				VIO232PS9SJ167JOCRD1I08DEQ3SABEJ
				NS DS RRSIG )

IMHO, the second NSEC3 is the culprit. I notified the official
contacts (support at nic.coop, tld.ops at centralnic.com)

The Knot resolver (but not Unbound, BIND or Google Public DNS) thus
returns SERVFAIL (should they?)



More information about the dns-operations mailing list