[dns-operations] Spurious (?) DNSSEC SERVFAIL with some (?) versions of BIND for one domain?
Mark Andrews
marka at isc.org
Wed Mar 10 23:37:18 UTC 2021
Done via the web page.
> On 11 Mar 2021, at 09:42, Mark Andrews <marka at isc.org> wrote:
>
> And has anyone reported this to them?
>
>> On 11 Mar 2021, at 09:37, Mark Andrews <marka at isc.org> wrote:
>>
>> So who is correctly rejecting DS at top of zone at load time? There is no way
>> to query for this RRset.
>>
>>> On 11 Mar 2021, at 06:29, Peter van Dijk <peter.van.dijk at powerdns.com> wrote:
>>>
>>> On Wed, 2021-03-10 at 16:44 +0000, Matthew Richardson wrote:
>>>> 9qbq9dd8lt1gvge9gdmb5m0o13iuqeqt.prv.se: type NSEC3, class IN
>>>>> Name: 9qbq9dd8lt1gvge9gdmb5m0o13iuqeqt.prv.se
>>>
>>> Which is the NSEC3 hash of 'prv.se.',
>>>
>>>>> Type: NSEC3 (50)
>>>>> Class: IN (0x0001)
>>>>> Time to live: 3600
>>>>> Data length: 43
>>>>> Hash algorithm: SHA-1 (1)
>>>>> NSEC3 flags: 0
>>>>> .... ...0 = NSEC3 Opt-out flag: Additional insecure delegations forbidden
>>>>> NSEC3 iterations: 50
>>>>> Salt length: 8
>>>>> Salt value: 33e9285ab62c0803
>>>>> Hash length: 20
>>>>> Next hashed owner: 4f848f41f3884a3fc412e821e031cdd8b9a48eca
>>>>> RR type in bit map: A (Host Address)
>>>>> RR type in bit map: NS (authoritative Name Server)
>>>>> RR type in bit map: SOA (Start Of a zone of Authority)
>>>>> RR type in bit map: MX (Mail eXchange)
>>>>> RR type in bit map: TXT (Text strings)
>>>>> RR type in bit map: DS(Delegation Signer)
>>>
>>> which apparently has a DS at the apex of the child zone, which is
>>> somewhere between 'useless' and 'wrong'.
>>>
>>>>> RR type in bit map: RRSIG
>>>>> RR type in bit map: DNSKEY
>>>>> RR type in bit map: NSEC3PARAM
>>>
>>> Combined with
>>>
>>>> 10-Mar-2021 16:20:11.606 dnssec: info: validating _dmarc.prv.se/TXT:
>>> bad cache hit (_dmarc.prv.se/DS)
>>>
>>> My vague suspicion is that BIND is flagging this as an impossible
>>> situation, because a DS should live in the parent, and only in the
>>> parent.
>>>
>>> I recall isc.org 'recently' had a DS at the apex of the child zone; I
>>> wonder if after ISC removed that, they made BIND, as a validator,
>>> stricter about it when detected.
>>>
>>> Kind regards,
>>> --
>>> Peter van Dijk
>>> PowerDNS.COM BV - https://www.powerdns.com/
>>>
>>> _______________________________________________
>>> dns-operations mailing list
>>> dns-operations at lists.dns-oarc.net
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>>
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list