[dns-operations] broken insecure NSEC3 denials from some .pl servers
Peter van Dijk
peter.van.dijk at powerdns.com
Tue Feb 26 13:07:29 UTC 2019
(Daniel Stirnimann at SWITCH has already emailed the tech contact at
https://www.iana.org/domains/root/db/pl.html about this, this mail is
for your information)
Hello,
we have been getting reports of validation failures for unsigned .pl
domains these last few days. Upon investigation, we found that some of
their auths are serving the wrong NSEC3 records for the denial.
Examples:
* https://gist.github.com/Habbie/076daf6c206029aaeae5e01cc4118e60
* http://dnsviz.net/d/sassc.home.pl/dnssec/
* http://dnsviz.net/d/etop.pl/dnssec/
Daniel tells me this looks like a bug in older NSD versions (fixed
since!) that he’s seen occur after rolling the NSEC3 salt.
If anybody happens to have archives of older (last few weeks) NSEC3s or
NSEC3PARAMs from .pl, those would be interesting to look at to verify
the salt roll bug suspicion.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
More information about the dns-operations
mailing list