[dns-operations] NSEC chains that omit wildcards.

[Peter van Dijk]

Hello Viktor,

On 25 Apr 2019, at 20:51, Viktor Dukhovni wrote:

> On Sun, Apr 14, 2019 at 02:54:18PM -0400, Viktor Dukhovni wrote:
>
> But it seems that similar issues still crop up from time to time
> at other providers.  It looks like some versions of PowerDNS (?
> telltale RRSIG inception midnight Thursday) are, or were (if
> outdated), too easily misconfigured to not include the wildcard in
> the zone's NSEC chain.  Today's case in point is firestorm.ch.

It’s most likely that the zones are misconfigured to not include 
anything besides the apex in their NSEC chain. It just so happens that 
for a lot of zones, the only thing besides the apex is the wildcard.

> Does anyone know whether the issue is outdated software (is an
> upgrade required),

No (although we’ve had a couple of small bugs in the NSEC department 
in the past).

> operator negligence (explicitly incorrect configuration)

Yes. When running PowerDNS from an SQL backend, some metadata is 
required on each record (specifically, the ‘ordername’ that becomes 
part of the NSEC chain). This metadata can be set automatically if the 
record is edited via our REST API (in recent versions). It is not set 
automatically if the user uses SQL to insert records. In that case, 
‘pdnsutil rectify-zone’ will add the right metadata. So, operators 
that insist on doing ‘manual’ SQL need to also set the ordername 
column, or run rectify-zone after their edits.

As for telltale signs, whenever you see this issue, it also tells you 
that the machine you are talking to is running with an SQL backend, and 
has received the zone over some mechanism -other than AXFR-. If it was 
received over AXFR, the ordername metadata would be correct and you 
would not see the issue.

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/