[dns-operations] Inconsistent NSEC response for unsigned zone from AWS

Puneet Sood puneets at google.com
Tue Jun 22 14:49:03 UTC 2021 

On Tue, Jun 22, 2021, 12:35 AM Matt Nordhoff <mnordhoff at gmail.com> wrote:

> On Tue, Jun 22, 2021 at 3:54 AM Viktor Dukhovni <ietf-dane at dukhovni.org>
> wrote:
> > On Tue, Jun 22, 2021 at 03:30:39AM +0000, Matt Nordhoff wrote:
> >
> > > > Indeed I see the same:
> > > >
> > > >     $ dig +noall +dnssec +norecur +nocrypto +ans +auth +add -t NS
> corp.ibexglobal.com @ns-725.awsdns-26.net.
> > > >     corp.ibexglobal.com.    172800  IN      NS
> ns-1415.awsdns-48.org.
> > > >     corp.ibexglobal.com.    172800  IN      NS
> ns-1804.awsdns-33.co.uk.
> > > >     corp.ibexglobal.com.    172800  IN      NS
> ns-29.awsdns-03.com.
> > > >     corp.ibexglobal.com.    172800  IN      NS
> ns-945.awsdns-54.net.
> > > >     corp.ibexglobal.com.    86400   IN      NSEC    \
> 000.corp.ibexglobal.com. RRSIG NSEC
> > > >     corp.ibexglobal.com.    86400   IN      RRSIG   NSEC 13 3 86400
> 20210623012420 20210621232420 36517 ibexglobal.com. [omitted]
> > > >
> > > > This violates <
> https://datatracker.ietf.org/doc/html/rfc4035#section-2.3>:
> > >
> > > I haven't spent the time to understand precisely what this thread is
> > > talking about, but that's how NSEC white/black lies work. NS1 does the
> > > same thing (give or take possible bugs) as AWS.
> >
> > No, there's a subtle difference, this qname actually exists, and has an
> > NS RRSet.  The NSEC bitmap needs to reflect this.
>
> Ah, now I understand the issue, thank you.
>
> I'm sorry if my previous email seemed glib. I didn't get enough sleep
> to easily understand NSEC problems, but thought it was probably better
> to reply now than to wait.
>
> My email might still matter, but it's not relevant to this thread.
>
> [FWIW, Cloudflare handles insecure referrals correctly, AFAIK. I have
> no idea about NS1, but there's no reason to suspect anything.]
>

I did not see this issue with cloudflare.

For some reason my post forked into two threads. Gavin from AWS replied on
the other thread.

Puneet

> --
> Matt Nordhoff
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210622/a98511de/attachment.html>

More information about the dns-operations mailing list