[dns-operations] broken insecure NSEC3 denials from some .pl servers

Peter van Dijk peter.van.dijk at powerdns.com
Tue Feb 26 13:07:29 UTC 2019

(Daniel Stirnimann at SWITCH has already emailed the tech contact at 
https://www.iana.org/domains/root/db/pl.html about this, this mail is 
for your information)


we have been getting reports of validation failures for unsigned .pl 
domains these last few days. Upon investigation, we found that some of 
their auths are serving the wrong NSEC3 records for the denial.

* https://gist.github.com/Habbie/076daf6c206029aaeae5e01cc4118e60
* http://dnsviz.net/d/sassc.home.pl/dnssec/
* http://dnsviz.net/d/etop.pl/dnssec/

Daniel tells me this looks like a bug in older NSD versions (fixed 
since!) that he’s seen occur after rolling the NSEC3 salt.

If anybody happens to have archives of older (last few weeks) NSEC3s or 
NSEC3PARAMs from .pl, those would be interesting to look at to verify 
the salt roll bug suspicion.

Kind regards,
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

More information about the dns-operations mailing list