[nsd-users] wildcard+ANY validation issue between NSD and Unbound

Peter van Dijk peter.van.dijk at netherlabs.nl
Fri Feb 24 12:12:24 UTC 2012 

Hello,

Given this zone wtest.com:
$TTL 3600
$ORIGIN wtest.com.
@		IN	SOA	ns1.wtest.com.	ahu.example.com. (  2005092501
			8H ; refresh
			2H ; retry
			1W ; expire
			1D ; default_ttl
			)

@			IN	NS	ns1
@			IN	MX	10	smtp-servers.example.com.
@			IN	MX	15	smtp-servers
@			IN	A	9.9.9.9
*			IN	CNAME	server1
ns1			IN	A	1.2.3.4
secure			IN	MX	10 server1
server1			IN	A	1.2.3.4
*.something		IN	A	4.3.2.1


When I sign this zone with ldns-signzone (1.6.12) and configure it in NSD (3.2.10), I observe (with Unbound 1.4.16):
$ unbound-host -v -C unbound-host-nsd.conf -t a www.something.wtest.com
www.something.wtest.com has address 4.3.2.1 (secure)
$ unbound-host -v -C unbound-host-nsd.conf -t any www.something.wtest.com
www.something.wtest.com ANY:
www.something.wtest.com.	3600	IN	A	4.3.2.1
www.something.wtest.com.	3600	IN	RRSIG	A 5 3 3600 20120323092532 20120224092532 61140 wtest.com. N0nNjNk2wWpgw8MsSJkWi91L4iAZa3L6bJle4jZ7eSzybTvbmNP5X83db8bxNSErjvACC+QLbMcxg3LICb+msQ==
 (BOGUS (security failure))
validation failure <www.something.wtest.com. ANY IN>: qtype_any proof failed from 10.0.2.14


Doing the same with BIND (1:9.9.0-0ubuntu0~lucid12~b1) (using dnssec-signzone):
$ unbound-host -v -C unbound-host-bind.conf -t a www.something.wtest.com
www.something.wtest.com has address 4.3.2.1 (secure)
$ unbound-host -v -C unbound-host-bind.conf -t any www.something.wtest.com
www.something.wtest.com ANY:
www.something.wtest.com.	3600	IN	A	4.3.2.1
www.something.wtest.com.	3600	IN	RRSIG	A 5 3 3600 20120325073507 20120224073507 61140 wtest.com. BA8PEvt2bNEr6ZLiOeFJQhQO6BVrj5vTFGFs4tT6vBu5fhvIYyQh1ltzSmaxzyfe9EDMP89upcjW7AQyju9upQ==
www.something.wtest.com.	86400	IN	NSEC	wtest.com. A RRSIG NSEC 
www.something.wtest.com.	86400	IN	RRSIG	NSEC 5 3 86400 20120325073507 20120224073507 61140 wtest.com. LDtcA1C2qk5hYF2qUquVDSa39v18lexViUwlIa9uLGaoDYXzndOWsA0Zbu01cvcipT1GCu6gaAFLieGL/gNdbQ==
 (secure)


The difference appears to be that in the ANY case, BIND adds:
www.something.wtest.com.	86400	IN	NSEC	wtest.com. A RRSIG NSEC 
www.something.wtest.com.	86400	IN	RRSIG	NSEC 5 3 86400  ….

but as far as I can see, this offers no information not already offered by:
*.something.wtest.com.	86400	IN	NSEC	wtest.com. A RRSIG NSEC 
*.something.wtest.com.	86400	IN	RRSIG	NSEC 5 3 86400 …

(which is present in both responses from NSD and from BIND). Yet, unbound seems to require it.

I have sent this message to nsd-users instead of unbound-users because regardless of who is wrong here, I fear the authoritative side is where this has to be fixed, for compatibility. I also suspect I will reach the Unbound-developers via this list anyway.

RFC4035 appears not to cover the interaction between ANY and NSEC at all.

I'm looking forward to any opinions on this subject. I would be happy to repost to unbound-users if the question is deemed more suitable for that forum.

Kind regards,
Peter van Dijk

More information about the nsd-users mailing list