[nsd-users] wildcard+ANY validation issue between NSD and Unbound

Matthijs Mekking matthijs at nlnetlabs.nl
Mon Feb 27 10:36:05 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

A fix is now available in svn branches/NSD_3_2 and trunk, r3526.
It will be included in the next NSD release 3.2.11.

Best regards,
  Matthijs

On 02/24/2012 02:46 PM, Matthijs Mekking wrote:
> Hi Peter,
> 
> You are right, the wildcard NSEC in the answer section is giving 
> problems. We are working on a fix.
> 
> Thanks for reporting.
> 
> Best regards, Matthijs
> 
> On 02/24/2012 02:35 PM, Peter van Dijk wrote:
>> Hello,
> 
>> On Feb 24, 2012, at 13:12 , Peter van Dijk wrote:
> 
>>> The difference appears to be that in the ANY case, BIND adds: 
>>> www.something.wtest.com.	86400	IN	NSEC	wtest.com. A RRSIG NSEC
>>>  www.something.wtest.com.	86400	IN	RRSIG	NSEC 5 3 86400  ….
>>> 
>>> but as far as I can see, this offers no information not already
>>> offered by: *.something.wtest.com.	86400	IN	NSEC	wtest.com. A
>>> RRSIG NSEC *.something.wtest.com.	86400	IN	RRSIG	NSEC 5 3 86400
>>>> 
>> This is not the difference that matters. The issue is that NSD
>> puts '*.something.wtest.com NSEC' in the answer section instead
>> of the authority section.
> 
>> According to unbound (and according to my reading of RFC4035),
>> this is okay:
> 
>> ;; QUESTION SECTION: ;www.something.wtest.com.	IN	 ANY
> 
>> ;; ANSWER SECTION: www.something.wtest.com.	3600	IN	A	4.3.2.1 
>> www.something.wtest.com.	3600	IN	RRSIG	A 8 3 3600 20120308000000
>> 20120223000000 33955 wtest.com.
>> Cdgl41CONlwN91fMiQV6D1T2/ZaQPArjswqIR5FSnNAdTcfLuADAYJrXmBwdTTtQhfJASkZRidjfdtJOYrCgJC3d1KpeqJWnIf2mLIZtiGVkz9DxoMlXcb8O0U9moOSvPRzoWKyspQrvp6+qIM5BwqifrqbsrzSWTr4PFQehiaA=
>
>>  ;; AUTHORITY SECTION: *.something.wtest.com.	3600	IN	NSEC
>> wtest.com. A RRSIG NSEC *.something.wtest.com.	3600	IN	RRSIG	NSEC
>> 8 3 3600 20120308000000 20120223000000 33955 wtest.com.
>> BEa33+lxqfRaPw5GsM6g9TwRGcVsgA/t4oK0WMZ/sikQllvOKNfZLvbdJwTN1/yQzYhrl+xqYWuQCvMHEYCztEo9/z29sPxC/4DQrWhFmPVln1kgAPNdNIO50O8KzynbwMRq5WflvlFMrgh3B65l4I0otoqOuh9UUVYF2fGlKf4=
>
>> 
> 
>> While this (from NSD) is not:
> 
>> ;; QUESTION SECTION: ;www.something.wtest.com.	IN	 ANY
> 
>> ;; ANSWER SECTION: *.something.wtest.com.	86400	IN	NSEC
>> wtest.com. A RRSIG NSEC *.something.wtest.com.	86400	IN	RRSIG
>> NSEC 5 3 86400 20120323092532 20120224092532 61140 wtest.com.
>> YYV4+Bv6N2VATWSx7RhOJV0PkZuvxwWLk88lU5hXVcJNvqyKkGGlJQXpy19L8ftUZJN+p5nzc+lypH06LFQAmQ==
>>
>> 
www.something.wtest.com.	3600	IN	A	4.3.2.1
>> www.something.wtest.com.	3600	IN	RRSIG	A 5 3 3600 20120323092532
>> 20120224092532 61140 wtest.com.
>> N0nNjNk2wWpgw8MsSJkWi91L4iAZa3L6bJle4jZ7eSzybTvbmNP5X83db8bxNSErjvACC+QLbMcxg3LICb+msQ==
>
>>  ;; AUTHORITY SECTION: wtest.com.	3600	IN	NS	ns1.wtest.com. 
>> wtest.com.	3600	IN	RRSIG	NS 5 2 3600 20120323092532
>> 20120224092532 61140 wtest.com.
>> mIQi6S7OjXL+InBCcUIbHD2Kodt31FN2k7o4jdnHu7l0iTs58TjbiqJoL0DwZBk85NnRD/cLDrARD5X39nq5Qw==
>
>>  ;; ADDITIONAL SECTION: ns1.wtest.com.	3600	IN	A	1.2.3.4 
>> ns1.wtest.com.	3600	IN	RRSIG	A 5 3 3600 20120323092532
>> 20120224092532 61140 wtest.com.
>> wO/knqEUrzk2RU4P+MRKAyk0yOmDaidYLYdT64DbmxcZmpU54tanw6rjoNpcMlHnWR/1IVw6/kozTGuTNnD6Yg==
>
>>  Kind regards, Peter van Dijk 
>> _______________________________________________ nsd-users mailing
>> list nsd-users at NLnetLabs.nl 
>> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
> 
> 
> _______________________________________________ nsd-users mailing
> list nsd-users at NLnetLabs.nl 
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPS1yVAAoJEA8yVCPsQCW5Zr4IAMzo8fXIDQJuI9ACXj3mfQeq
gbAcjzp7QAd+Is0HySGP528w+gmuNzWtgWZO0Qt+QFZ1AgD0gTBo+z3XOc9p0K+J
EW2MxVVcMccRRND0eizKdmgnsfsH89AAELoMZu4fUQhTUEsqm9rMoxcKA37NSAST
wmlbXNim1LKwhLglkbYRL2nbtBxC9VxskXGzLZCXIRdp1dPUKKxR14EPfxL0s2u1
w16W/XS5rWIwZfxVH9zsvN/WIzIvQKHy/k4koHcEwY0ENyJ8CYgT2oRVUwzqLBCL
y3dOh/7jD+GdcbQviEC/hHDGyHb78lJi4lm63vRIYdMi4rskpXW0hEQ4lLHiLTE=
=l2Xd
-----END PGP SIGNATURE-----



More information about the nsd-users mailing list