[Unbound-users] Strange validation errors for proofs of non-existence in .com, .net, .org TLD (is it due to NSEC3 opt-out or I am missing some trust anchor?)
wouter at nlnetlabs.nl
Thu Jan 3 08:01:29 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 01/02/2013 06:31 PM, Ondrej Mikle wrote:
> i) Something has changed in the com/net/org TLD with the NSEC3
> around 3 months back, probably by setting the opt-out bit on NSEC3
> records or creating more gaps with NSEC3 records that have the
> opt-out bit set. I should have some old scan of .com TLD, but it'll
> take me some time to retrieve it and compare the records.
> ii) Some old version of unbound does not handle this case and sets
> the AD flag (see below).
> I am fairly sure that the com/net/org non-existent validation was
> "working" 3-4 months ago, some other people I asked remember it
> this way, too (I used it quite a lot for testing DNSSEC Validator
> and other SW). I wrote "working" in quotes because I'm not 100%
> sure if it was due to a change in the zones or a bug/missing
> feature in unbound or bind. Though I think bind did validate the
> nonexistent com/net/org domains as well back then.
>> The machine at 220.127.116.11 that sets the AD flag for optout
>> NSEC3 NXDOMAIN fails to implement RFC5155.
> I've just asked admins today and the 18.104.22.168 machine runs
> unbound 1.4.6-1 from Ubuntu Lucid.
So, it is a bug in an older version of unbound, which has already been
fixed (ii)? Ah yes, in 1.4.7 there is this bugfix: Abide RFC5155
section 9.2: no AD flag for replies with NSEC3 optout.
> Does anyone know since when do the com/net/org NSEC3s have the
> opt-out bit set?
The authority servers are not the problem here, the older version of
unbound does not set the AD flag correctly for NXDOMAIN responses with
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Unbound-users