[dns-operations] Inconsistent NSEC response for unsigned zone from AWS
Gavin McCullagh
gmccullagh at gmail.com
Tue Jun 22 00:33:51 UTC 2021
Interesting observation Puneet, thank you. I'm bringing this up internally
within Route 53 so we can take a look.
Gavin
On Mon, Jun 21, 2021 at 4:55 PM Puneet Sood via dns-operations <
dns-operations at dns-oarc.net> wrote:
>
>
>
> ---------- Forwarded message ----------
> From: Puneet Sood <puneets at google.com>
> To: dns-operations <dns-operations at dns-oarc.net>
> Cc:
> Bcc:
> Date: Mon, 21 Jun 2021 19:45:44 -0400
> Subject: Inconsistent NSEC response for unsigned zone from AWS
> Hello dnssec experts,
>
> I am noticing an inconsistent NSEC response in a delegation. Depending
> on the RR type specified in the query the response includes NS in the
> set of RR types in the NSEC RR proving the absence of the <name>/DS
> record. Is this behavior below within what nameservers can return?
> Ideally all cases will list the NS RR type in the NSEC record.
>
> I suspect the absence of NS in the NSEC is confusing our NSEC checking
> logic. Validation is working correctly but in a suboptimal fashion.
>
> **** Example domain: corp.ibexglobal.com
>
> $ dig ns corp.ibexglobal.com +short
> ns-1415.awsdns-48.org.
> ns-1804.awsdns-33.co.uk.
> ns-29.awsdns-03.com.
> ns-945.awsdns-54.net.
>
> **** With type NS, NS not included in NSEC RR.
>
> $ dig corp.ibexglobal.com -t NS +dnssec +nocrypto +nocomment
> @ns-725.awsdns-26.net.
>
> ;corp.ibexglobal.com. IN NS
> corp.ibexglobal.com. 172800 IN NS ns-1415.awsdns-48.org.
> corp.ibexglobal.com. 172800 IN NS ns-1804.awsdns-33.co.uk.
> corp.ibexglobal.com. 172800 IN NS ns-29.awsdns-03.com.
> corp.ibexglobal.com. 172800 IN NS ns-945.awsdns-54.net.
> corp.ibexglobal.com. 86400 IN NSEC
> \000.corp.ibexglobal.com. RRSIG NSEC
> corp.ibexglobal.com. 86400 IN RRSIG NSEC 13 3 86400
> 20210623002754 20210621222754 36517 ibexglobal.com. [omitted]
>
> **** With type DS or A, NS included in NSEC RR.
>
> $ dig corp.ibexglobal.com -t A +dnssec +nocrypto +nocomment
> @ns-725.awsdns-26.net.
> ;corp.ibexglobal.com. IN A
> corp.ibexglobal.com. 172800 IN NS ns-1415.awsdns-48.org.
> corp.ibexglobal.com. 172800 IN NS ns-1804.awsdns-33.co.uk.
> corp.ibexglobal.com. 172800 IN NS ns-29.awsdns-03.com.
> corp.ibexglobal.com. 172800 IN NS ns-945.awsdns-54.net.
> corp.ibexglobal.com. 86400 IN NSEC
> \000.corp.ibexglobal.com. NS RRSIG NSEC
> corp.ibexglobal.com. 86400 IN RRSIG NSEC 13 3 86400
> 20210623002809 20210621222809 36517 ibexglobal.com. [omitted]
>
> $ dig corp.ibexglobal.com -t DS +dnssec +nocrypto +nocomment
> @ns-725.awsdns-26.net.
> ;corp.ibexglobal.com. IN DS
> ibexglobal.com. 900 IN SOA ns-380.awsdns-47.com.
> awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
> ibexglobal.com. 900 IN RRSIG SOA 13 2 900
> 20210622004320 20210621222820 36517 ibexglobal.com. [omitted]
> corp.ibexglobal.com. 86400 IN NSEC
> \000.corp.ibexglobal.com. NS RRSIG NSEC
> corp.ibexglobal.com. 86400 IN RRSIG NSEC 13 3 86400
> 20210623002820 20210621222820 36517 ibexglobal.com. [omitted]
>
> Thanks,
> Puneet
>
>
>
> ---------- Forwarded message ----------
> From: Puneet Sood via dns-operations <dns-operations at dns-oarc.net>
> To: dns-operations <dns-operations at dns-oarc.net>
> Cc:
> Bcc:
> Date: Mon, 21 Jun 2021 19:45:44 -0400
> Subject: [dns-operations] Inconsistent NSEC response for unsigned zone
> from AWS
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210621/b12bdcda/attachment.html>
More information about the dns-operations
mailing list