[nsd-users] wildcard+ANY validation issue between NSD and Unbound

Matthijs Mekking matthijs at nlnetlabs.nl
Fri Feb 24 13:46:41 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Peter,

You are right, the wildcard NSEC in the answer section is giving
problems. We are working on a fix.

Thanks for reporting.

Best regards,
  Matthijs

On 02/24/2012 02:35 PM, Peter van Dijk wrote:
> Hello,
> 
> On Feb 24, 2012, at 13:12 , Peter van Dijk wrote:
> 
>> The difference appears to be that in the ANY case, BIND adds:
>> www.something.wtest.com.	86400	IN	NSEC	wtest.com. A RRSIG NSEC 
>> www.something.wtest.com.	86400	IN	RRSIG	NSEC 5 3 86400  ….
>>
>> but as far as I can see, this offers no information not already offered by:
>> *.something.wtest.com.	86400	IN	NSEC	wtest.com. A RRSIG NSEC 
>> *.something.wtest.com.	86400	IN	RRSIG	NSEC 5 3 86400 …
> 
> This is not the difference that matters. The issue is that NSD puts '*.something.wtest.com NSEC' in the answer section instead of the authority section.
> 
> According to unbound (and according to my reading of RFC4035), this is okay:
> 
> ;; QUESTION SECTION:
> ;www.something.wtest.com.	IN	 ANY
> 
> ;; ANSWER SECTION:
> www.something.wtest.com.	3600	IN	A	4.3.2.1
> www.something.wtest.com.	3600	IN	RRSIG	A 8 3 3600 20120308000000 20120223000000 33955 wtest.com. Cdgl41CONlwN91fMiQV6D1T2/ZaQPArjswqIR5FSnNAdTcfLuADAYJrXmBwdTTtQhfJASkZRidjfdtJOYrCgJC3d1KpeqJWnIf2mLIZtiGVkz9DxoMlXcb8O0U9moOSvPRzoWKyspQrvp6+qIM5BwqifrqbsrzSWTr4PFQehiaA=
> 
> ;; AUTHORITY SECTION:
> *.something.wtest.com.	3600	IN	NSEC	wtest.com. A RRSIG NSEC
> *.something.wtest.com.	3600	IN	RRSIG	NSEC 8 3 3600 20120308000000 20120223000000 33955 wtest.com. BEa33+lxqfRaPw5GsM6g9TwRGcVsgA/t4oK0WMZ/sikQllvOKNfZLvbdJwTN1/yQzYhrl+xqYWuQCvMHEYCztEo9/z29sPxC/4DQrWhFmPVln1kgAPNdNIO50O8KzynbwMRq5WflvlFMrgh3B65l4I0otoqOuh9UUVYF2fGlKf4=
> 
> 
> While this (from NSD) is not:
> 
> ;; QUESTION SECTION:
> ;www.something.wtest.com.	IN	 ANY
> 
> ;; ANSWER SECTION:
> *.something.wtest.com.	86400	IN	NSEC	wtest.com. A RRSIG NSEC
> *.something.wtest.com.	86400	IN	RRSIG	NSEC 5 3 86400 20120323092532 20120224092532 61140 wtest.com. YYV4+Bv6N2VATWSx7RhOJV0PkZuvxwWLk88lU5hXVcJNvqyKkGGlJQXpy19L8ftUZJN+p5nzc+lypH06LFQAmQ==
> www.something.wtest.com.	3600	IN	A	4.3.2.1
> www.something.wtest.com.	3600	IN	RRSIG	A 5 3 3600 20120323092532 20120224092532 61140 wtest.com. N0nNjNk2wWpgw8MsSJkWi91L4iAZa3L6bJle4jZ7eSzybTvbmNP5X83db8bxNSErjvACC+QLbMcxg3LICb+msQ==
> 
> ;; AUTHORITY SECTION:
> wtest.com.	3600	IN	NS	ns1.wtest.com.
> wtest.com.	3600	IN	RRSIG	NS 5 2 3600 20120323092532 20120224092532 61140 wtest.com. mIQi6S7OjXL+InBCcUIbHD2Kodt31FN2k7o4jdnHu7l0iTs58TjbiqJoL0DwZBk85NnRD/cLDrARD5X39nq5Qw==
> 
> ;; ADDITIONAL SECTION:
> ns1.wtest.com.	3600	IN	A	1.2.3.4
> ns1.wtest.com.	3600	IN	RRSIG	A 5 3 3600 20120323092532 20120224092532 61140 wtest.com. wO/knqEUrzk2RU4P+MRKAyk0yOmDaidYLYdT64DbmxcZmpU54tanw6rjoNpcMlHnWR/1IVw6/kozTGuTNnD6Yg==
> 
> Kind regards,
> Peter van Dijk
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPR5TBAAoJEA8yVCPsQCW5tB4H+wTQE6JeQy1LiPl+vd6yQxYE
4aaiGwkPH1h2F/GpXARK7UWyLNAh6ouT2Esk0JNoKfjoxKlQ7sM7puJltGgdwwOr
tSy3wyelaswutMK/FweQ51jDbuCWQiW2O2dwv2u9HrL9WaugYRJeYSHU+UVbaHmB
rBO90Z/JJ/lkLpP+YgmKTMyRp+UW76HdnLsehLboKsZNrui1Eh2fGu8PuOJiaWDp
vAz0Ql+bqq0YAGlw4se4gzCYhF3QpAUVtMp7sD4KVXZaraRxUpbtmAV94h4KezZ7
GAoYdrKCZlSD3aTO/yZNAEZY3JZL6IAYXrI0QIxJhzNeR6MDlPS10OGPHKTv+Yo=
=o8wg
-----END PGP SIGNATURE-----



More information about the nsd-users mailing list