Inconsistent NSEC response for unsigned zone from AWS

Puneet Sood puneets at google.com
Mon Jun 21 23:45:44 UTC 2021 

Hello dnssec experts,

I am noticing an inconsistent NSEC response in a delegation. Depending
on the RR type specified in the query the response includes NS in the
set of RR types in the NSEC RR proving the absence of the <name>/DS
record. Is this behavior below within what nameservers can return?
Ideally all cases will list the NS RR type in the NSEC record.

I suspect the absence of NS in the NSEC is confusing our NSEC checking
logic. Validation is working correctly but in a suboptimal fashion.

**** Example domain: corp.ibexglobal.com

$ dig ns corp.ibexglobal.com +short
ns-1415.awsdns-48.org.
ns-1804.awsdns-33.co.uk.
ns-29.awsdns-03.com.
ns-945.awsdns-54.net.

**** With type NS, NS not included in NSEC RR.

$ dig corp.ibexglobal.com -t NS +dnssec +nocrypto +nocomment
@ns-725.awsdns-26.net.

;corp.ibexglobal.com.           IN      NS
corp.ibexglobal.com.    172800  IN      NS      ns-1415.awsdns-48.org.
corp.ibexglobal.com.    172800  IN      NS      ns-1804.awsdns-33.co.uk.
corp.ibexglobal.com.    172800  IN      NS      ns-29.awsdns-03.com.
corp.ibexglobal.com.    172800  IN      NS      ns-945.awsdns-54.net.
corp.ibexglobal.com.    86400   IN      NSEC
\000.corp.ibexglobal.com. RRSIG NSEC
corp.ibexglobal.com.    86400   IN      RRSIG   NSEC 13 3 86400
20210623002754 20210621222754 36517 ibexglobal.com. [omitted]

**** With type DS or A, NS included in NSEC RR.

$ dig corp.ibexglobal.com -t A +dnssec +nocrypto +nocomment
@ns-725.awsdns-26.net.
;corp.ibexglobal.com.           IN      A
corp.ibexglobal.com.    172800  IN      NS      ns-1415.awsdns-48.org.
corp.ibexglobal.com.    172800  IN      NS      ns-1804.awsdns-33.co.uk.
corp.ibexglobal.com.    172800  IN      NS      ns-29.awsdns-03.com.
corp.ibexglobal.com.    172800  IN      NS      ns-945.awsdns-54.net.
corp.ibexglobal.com.    86400   IN      NSEC
\000.corp.ibexglobal.com. NS RRSIG NSEC
corp.ibexglobal.com.    86400   IN      RRSIG   NSEC 13 3 86400
20210623002809 20210621222809 36517 ibexglobal.com. [omitted]

$ dig corp.ibexglobal.com -t DS +dnssec +nocrypto +nocomment
@ns-725.awsdns-26.net.
;corp.ibexglobal.com.           IN      DS
ibexglobal.com.         900     IN      SOA     ns-380.awsdns-47.com.
awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
ibexglobal.com.         900     IN      RRSIG   SOA 13 2 900
20210622004320 20210621222820 36517 ibexglobal.com. [omitted]
corp.ibexglobal.com.    86400   IN      NSEC
\000.corp.ibexglobal.com. NS RRSIG NSEC
corp.ibexglobal.com.    86400   IN      RRSIG   NSEC 13 3 86400
20210623002820 20210621222820 36517 ibexglobal.com. [omitted]

Thanks,
Puneet

More information about the dns-operations mailing list