[dns-operations] Akamai now works with ENT (Empty Non-Terminals)?

Peter van Dijk peter.van.dijk at powerdns.com
Mon Apr 15 22:16:14 UTC 2019

On 15 Apr 2019, at 22:05, Shumon Huque wrote:
> Ah, I see. I did some quick tests using yesterday and it was
> producing SERVFAIL for wildcard expanded positive responses too,
> assumed that it was related to the incorrect NSEC, and didn't bother 
> to
>  investigate further.
> Try dig @ blah.h4ha.net. A for example.
> With BIND/Unbound/Knot, this authenticates correctly. But I'd say that
> the reason is a bit more interesting than mundane. The apparent sole
> NSEC record in the zone, that is returned in the authority section of
> the response, although incorrect (because there is at least one other 
> name
> in the zone, the wildcard), accidentally causes the right thing to 
> happen:
> namely it also proves no explicit match and no closer wildcard match 
> of the
> name is possible.

PowerDNS also accepts it. My suspicions match yours :)

> Wonder why Google fails though? Is it determining that a wildcard 
> exists,
> and thus the NSEC record must be wrong ..

For context:
$ dig +dnssec blah.h4ha.net

; <<>> DiG 9.12.3-P4 <<>> +dnssec blah.h4ha.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14658
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

; EDNS: version: 0, flags: do; udp: 4096
;blah.h4ha.net.			IN	A

blah.h4ha.net.		300	IN	A
blah.h4ha.net.		300	IN	RRSIG	A 13 2 300 20190425000000 20190404000000 
39543 h4ha.net. RVUeiqgWhB9TaUwlJBqtEkqTa5QbL+jty4JluMmtFp+ttTWG4N7GFTck 

h4ha.net.		3600	IN	NSEC	h4ha.net. A NS SOA RRSIG NSEC DNSKEY CAA
h4ha.net.		3600	IN	RRSIG	NSEC 13 2 3600 20190425000000 20190404000000 
39543 h4ha.net. MykC0Gl+N7t1JQP3XPRl7qL4izW9gkHh3yUce0fhti9pOIsUbAkwz4Ms 

;; Query time: 229 msec
;; WHEN: Mon Apr 15 23:30:23 CEST 2019
;; MSG SIZE  rcvd: 300

The response contains the asked-for A record. The (cryptographically 
valid) RRSIG over that mentions off-hand that it was expanded from a 
wildcard. An NSEC is included that says that ‘blah’ does not exist. 
I believe that that is a conclusion that a validator is allowed to jump 

However, the NSEC does prove that the wildcard itself does not exist and 
thus the answer makes no sense. I believe that that is also a conclusion 
that a validator is allowed to end up with, and it looks like that is 
what Google is doing.

Kind regards,
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

More information about the dns-operations mailing list