[dns-operations] Inconsistent NSEC response for unsigned zone from AWS

Lu, Gary garylu at amazon.com
Sat Jul 31 03:00:36 UTC 2021 

Thank you very much for the report, Puneet.

Just to close this topic out, Route 53 have now deployed a fix globally.



Gary



On Mon, Jun 21, 2021 at 4:55 PM Puneet Sood via dns-operations <

dns-operations at dns-oarc.net<https://lists.dns-oarc.net/mailman/listinfo/dns-operations>> wrote:



>

>

>

> ---------- Forwarded message ----------

> From: Puneet Sood <puneets at google.com<https://lists.dns-oarc.net/mailman/listinfo/dns-operations>>

> To: dns-operations <dns-operations at dns-oarc.net<https://lists.dns-oarc.net/mailman/listinfo/dns-operations>>

> Cc:

> Bcc:

> Date: Mon, 21 Jun 2021 19:45:44 -0400

> Subject: Inconsistent NSEC response for unsigned zone from AWS

> Hello dnssec experts,

>

> I am noticing an inconsistent NSEC response in a delegation. Depending

> on the RR type specified in the query the response includes NS in the

> set of RR types in the NSEC RR proving the absence of the <name>/DS

> record. Is this behavior below within what nameservers can return?

> Ideally all cases will list the NS RR type in the NSEC record.

>

> I suspect the absence of NS in the NSEC is confusing our NSEC checking

> logic. Validation is working correctly but in a suboptimal fashion.

>

> **** Example domain: corp.ibexglobal.com

>

> $ dig ns corp.ibexglobal.com +short

> ns-1415.awsdns-48.org.

> ns-1804.awsdns-33.co.uk.

> ns-29.awsdns-03.com.

> ns-945.awsdns-54.net.

>

> **** With type NS, NS not included in NSEC RR.

>

> $ dig corp.ibexglobal.com -t NS +dnssec +nocrypto +nocomment

> @ns-725.awsdns-26.net.

>

> ;corp.ibexglobal.com.           IN      NS

> corp.ibexglobal.com.    172800  IN      NS      ns-1415.awsdns-48.org.

> corp.ibexglobal.com.    172800  IN      NS      ns-1804.awsdns-33.co.uk.

> corp.ibexglobal.com.    172800  IN      NS      ns-29.awsdns-03.com.

> corp.ibexglobal.com.    172800  IN      NS      ns-945.awsdns-54.net.

> corp.ibexglobal.com.    86400   IN      NSEC

> \000.corp.ibexglobal.com. RRSIG NSEC

> corp.ibexglobal.com.    86400   IN      RRSIG   NSEC 13 3 86400

> 20210623002754 20210621222754 36517 ibexglobal.com. [omitted]

>

> **** With type DS or A, NS included in NSEC RR.

>

> $ dig corp.ibexglobal.com -t A +dnssec +nocrypto +nocomment

> @ns-725.awsdns-26.net.

> ;corp.ibexglobal.com.           IN      A

> corp.ibexglobal.com.    172800  IN      NS      ns-1415.awsdns-48.org.

> corp.ibexglobal.com.    172800  IN      NS      ns-1804.awsdns-33.co.uk.

> corp.ibexglobal.com.    172800  IN      NS      ns-29.awsdns-03.com.

> corp.ibexglobal.com.    172800  IN      NS      ns-945.awsdns-54.net.

> corp.ibexglobal.com.    86400   IN      NSEC

> \000.corp.ibexglobal.com. NS RRSIG NSEC

> corp.ibexglobal.com.    86400   IN      RRSIG   NSEC 13 3 86400

> 20210623002809 20210621222809 36517 ibexglobal.com. [omitted]

>

> $ dig corp.ibexglobal.com -t DS +dnssec +nocrypto +nocomment

> @ns-725.awsdns-26.net.

> ;corp.ibexglobal.com.           IN      DS

> ibexglobal.com.         900     IN      SOA     ns-380.awsdns-47.com.

> awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

> ibexglobal.com.         900     IN      RRSIG   SOA 13 2 900

> 20210622004320 20210621222820 36517 ibexglobal.com. [omitted]

> corp.ibexglobal.com.    86400   IN      NSEC

> \000.corp.ibexglobal.com. NS RRSIG NSEC

> corp.ibexglobal.com.    86400   IN      RRSIG   NSEC 13 3 86400

> 20210623002820 20210621222820 36517 ibexglobal.com. [omitted]

>

> Thanks,

> Puneet

>

>

>

> ---------- Forwarded message ----------

> From: Puneet Sood via dns-operations <dns-operations at dns-oarc.net<https://lists.dns-oarc.net/mailman/listinfo/dns-operations>>

> To: dns-operations <dns-operations at dns-oarc.net<https://lists.dns-oarc.net/mailman/listinfo/dns-operations>>

> Cc:

> Bcc:

> Date: Mon, 21 Jun 2021 19:45:44 -0400

> Subject: [dns-operations] Inconsistent NSEC response for unsigned zone

> from AWS

> _______________________________________________

> dns-operations mailing list

> dns-operations at lists.dns-oarc.net<https://lists.dns-oarc.net/mailman/listinfo/dns-operations>

> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210731/4ab71699/attachment.html>

More information about the dns-operations mailing list