<div dir="ltr"><div>Interesting observation Puneet, thank you. I'm bringing this up internally within Route 53 so we can take a look.<br></div><div><br></div><div>Gavin<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 21, 2021 at 4:55 PM Puneet Sood via dns-operations <<a href="mailto:dns-operations@dns-oarc.net">dns-operations@dns-oarc.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br><br><br>---------- Forwarded message ----------<br>From: Puneet Sood <<a href="mailto:puneets@google.com" target="_blank">puneets@google.com</a>><br>To: dns-operations <<a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>><br>Cc: <br>Bcc: <br>Date: Mon, 21 Jun 2021 19:45:44 -0400<br>Subject: Inconsistent NSEC response for unsigned zone from AWS<br>Hello dnssec experts,<br>
<br>
I am noticing an inconsistent NSEC response in a delegation. Depending<br>
on the RR type specified in the query the response includes NS in the<br>
set of RR types in the NSEC RR proving the absence of the <name>/DS<br>
record. Is this behavior below within what nameservers can return?<br>
Ideally all cases will list the NS RR type in the NSEC record.<br>
<br>
I suspect the absence of NS in the NSEC is confusing our NSEC checking<br>
logic. Validation is working correctly but in a suboptimal fashion.<br>
<br>
**** Example domain: <a href="http://corp.ibexglobal.com" rel="noreferrer" target="_blank">corp.ibexglobal.com</a><br>
<br>
$ dig ns <a href="http://corp.ibexglobal.com" rel="noreferrer" target="_blank">corp.ibexglobal.com</a> +short<br>
<a href="http://ns-1415.awsdns-48.org" rel="noreferrer" target="_blank">ns-1415.awsdns-48.org</a>.<br>
<a href="http://ns-1804.awsdns-33.co.uk" rel="noreferrer" target="_blank">ns-1804.awsdns-33.co.uk</a>.<br>
<a href="http://ns-29.awsdns-03.com" rel="noreferrer" target="_blank">ns-29.awsdns-03.com</a>.<br>
<a href="http://ns-945.awsdns-54.net" rel="noreferrer" target="_blank">ns-945.awsdns-54.net</a>.<br>
<br>
**** With type NS, NS not included in NSEC RR.<br>
<br>
$ dig <a href="http://corp.ibexglobal.com" rel="noreferrer" target="_blank">corp.ibexglobal.com</a> -t NS +dnssec +nocrypto +nocomment<br>
@<a href="http://ns-725.awsdns-26.net" rel="noreferrer" target="_blank">ns-725.awsdns-26.net</a>.<br>
<br>
;<a href="http://corp.ibexglobal.com" rel="noreferrer" target="_blank">corp.ibexglobal.com</a>. IN NS<br>
<a href="http://corp.ibexglobal.com" rel="noreferrer" target="_blank">corp.ibexglobal.com</a>. 172800 IN NS <a href="http://ns-1415.awsdns-48.org" rel="noreferrer" target="_blank">ns-1415.awsdns-48.org</a>.<br>
<a href="http://corp.ibexglobal.com" rel="noreferrer" target="_blank">corp.ibexglobal.com</a>. 172800 IN NS <a href="http://ns-1804.awsdns-33.co.uk" rel="noreferrer" target="_blank">ns-1804.awsdns-33.co.uk</a>.<br>
<a href="http://corp.ibexglobal.com" rel="noreferrer" target="_blank">corp.ibexglobal.com</a>. 172800 IN NS <a href="http://ns-29.awsdns-03.com" rel="noreferrer" target="_blank">ns-29.awsdns-03.com</a>.<br>
<a href="http://corp.ibexglobal.com" rel="noreferrer" target="_blank">corp.ibexglobal.com</a>. 172800 IN NS <a href="http://ns-945.awsdns-54.net" rel="noreferrer" target="_blank">ns-945.awsdns-54.net</a>.<br>
<a href="http://corp.ibexglobal.com" rel="noreferrer" target="_blank">corp.ibexglobal.com</a>. 86400 IN NSEC<br>
\<a href="http://000.corp.ibexglobal.com" rel="noreferrer" target="_blank">000.corp.ibexglobal.com</a>. RRSIG NSEC<br>
<a href="http://corp.ibexglobal.com" rel="noreferrer" target="_blank">corp.ibexglobal.com</a>. 86400 IN RRSIG NSEC 13 3 86400<br>
20210623002754 20210621222754 36517 <a href="http://ibexglobal.com" rel="noreferrer" target="_blank">ibexglobal.com</a>. [omitted]<br>
<br>
**** With type DS or A, NS included in NSEC RR.<br>
<br>
$ dig <a href="http://corp.ibexglobal.com" rel="noreferrer" target="_blank">corp.ibexglobal.com</a> -t A +dnssec +nocrypto +nocomment<br>
@<a href="http://ns-725.awsdns-26.net" rel="noreferrer" target="_blank">ns-725.awsdns-26.net</a>.<br>
;<a href="http://corp.ibexglobal.com" rel="noreferrer" target="_blank">corp.ibexglobal.com</a>. IN A<br>
<a href="http://corp.ibexglobal.com" rel="noreferrer" target="_blank">corp.ibexglobal.com</a>. 172800 IN NS <a href="http://ns-1415.awsdns-48.org" rel="noreferrer" target="_blank">ns-1415.awsdns-48.org</a>.<br>
<a href="http://corp.ibexglobal.com" rel="noreferrer" target="_blank">corp.ibexglobal.com</a>. 172800 IN NS <a href="http://ns-1804.awsdns-33.co.uk" rel="noreferrer" target="_blank">ns-1804.awsdns-33.co.uk</a>.<br>
<a href="http://corp.ibexglobal.com" rel="noreferrer" target="_blank">corp.ibexglobal.com</a>. 172800 IN NS <a href="http://ns-29.awsdns-03.com" rel="noreferrer" target="_blank">ns-29.awsdns-03.com</a>.<br>
<a href="http://corp.ibexglobal.com" rel="noreferrer" target="_blank">corp.ibexglobal.com</a>. 172800 IN NS <a href="http://ns-945.awsdns-54.net" rel="noreferrer" target="_blank">ns-945.awsdns-54.net</a>.<br>
<a href="http://corp.ibexglobal.com" rel="noreferrer" target="_blank">corp.ibexglobal.com</a>. 86400 IN NSEC<br>
\<a href="http://000.corp.ibexglobal.com" rel="noreferrer" target="_blank">000.corp.ibexglobal.com</a>. NS RRSIG NSEC<br>
<a href="http://corp.ibexglobal.com" rel="noreferrer" target="_blank">corp.ibexglobal.com</a>. 86400 IN RRSIG NSEC 13 3 86400<br>
20210623002809 20210621222809 36517 <a href="http://ibexglobal.com" rel="noreferrer" target="_blank">ibexglobal.com</a>. [omitted]<br>
<br>
$ dig <a href="http://corp.ibexglobal.com" rel="noreferrer" target="_blank">corp.ibexglobal.com</a> -t DS +dnssec +nocrypto +nocomment<br>
@<a href="http://ns-725.awsdns-26.net" rel="noreferrer" target="_blank">ns-725.awsdns-26.net</a>.<br>
;<a href="http://corp.ibexglobal.com" rel="noreferrer" target="_blank">corp.ibexglobal.com</a>. IN DS<br>
<a href="http://ibexglobal.com" rel="noreferrer" target="_blank">ibexglobal.com</a>. 900 IN SOA <a href="http://ns-380.awsdns-47.com" rel="noreferrer" target="_blank">ns-380.awsdns-47.com</a>.<br>
<a href="http://awsdns-hostmaster.amazon.com" rel="noreferrer" target="_blank">awsdns-hostmaster.amazon.com</a>. 1 7200 900 1209600 86400<br>
<a href="http://ibexglobal.com" rel="noreferrer" target="_blank">ibexglobal.com</a>. 900 IN RRSIG SOA 13 2 900<br>
20210622004320 20210621222820 36517 <a href="http://ibexglobal.com" rel="noreferrer" target="_blank">ibexglobal.com</a>. [omitted]<br>
<a href="http://corp.ibexglobal.com" rel="noreferrer" target="_blank">corp.ibexglobal.com</a>. 86400 IN NSEC<br>
\<a href="http://000.corp.ibexglobal.com" rel="noreferrer" target="_blank">000.corp.ibexglobal.com</a>. NS RRSIG NSEC<br>
<a href="http://corp.ibexglobal.com" rel="noreferrer" target="_blank">corp.ibexglobal.com</a>. 86400 IN RRSIG NSEC 13 3 86400<br>
20210623002820 20210621222820 36517 <a href="http://ibexglobal.com" rel="noreferrer" target="_blank">ibexglobal.com</a>. [omitted]<br>
<br>
Thanks,<br>
Puneet<br>
<br><br><br>---------- Forwarded message ----------<br>From: Puneet Sood via dns-operations <<a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>><br>To: dns-operations <<a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>><br>Cc: <br>Bcc: <br>Date: Mon, 21 Jun 2021 19:45:44 -0400<br>Subject: [dns-operations] Inconsistent NSEC response for unsigned zone from AWS<br>_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div>