[dns-operations] Spurious (?) DNSSEC SERVFAIL with some (?) versions of BIND for one domain?

Peter van Dijk peter.van.dijk at powerdns.com
Wed Mar 10 19:29:42 UTC 2021


On Wed, 2021-03-10 at 16:44 +0000, Matthew Richardson wrote:
>        9qbq9dd8lt1gvge9gdmb5m0o13iuqeqt.prv.se: type NSEC3, class IN
> >            Name: 9qbq9dd8lt1gvge9gdmb5m0o13iuqeqt.prv.se

Which is the NSEC3 hash of 'prv.se.',

> >            Type: NSEC3 (50)
> >            Class: IN (0x0001)
> >            Time to live: 3600
> >            Data length: 43
> >            Hash algorithm: SHA-1 (1)
> >            NSEC3 flags: 0
> >                .... ...0 = NSEC3 Opt-out flag: Additional insecure delegations forbidden
> >            NSEC3 iterations: 50
> >            Salt length: 8
> >            Salt value: 33e9285ab62c0803
> >            Hash length: 20
> >            Next hashed owner: 4f848f41f3884a3fc412e821e031cdd8b9a48eca
> >            RR type in bit map: A (Host Address)
> >            RR type in bit map: NS (authoritative Name Server)
> >            RR type in bit map: SOA (Start Of a zone of Authority)
> >            RR type in bit map: MX (Mail eXchange)
> >            RR type in bit map: TXT (Text strings)
> >            RR type in bit map: DS(Delegation Signer)

which apparently has a DS at the apex of the child zone, which is
somewhere between 'useless' and 'wrong'.

> >            RR type in bit map: RRSIG
> >            RR type in bit map: DNSKEY
> >            RR type in bit map: NSEC3PARAM

Combined with

> 10-Mar-2021 16:20:11.606 dnssec: info: validating _dmarc.prv.se/TXT:
bad cache hit (_dmarc.prv.se/DS)

My vague suspicion is that BIND is flagging this as an impossible
situation, because a DS should live in the parent, and only in the
parent.

I recall isc.org 'recently' had a DS at the apex of the child zone; I
wonder if after ISC removed that, they made BIND, as a validator,
stricter about it when detected.

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/



More information about the dns-operations mailing list