validating nxdomain for subdomains of data-less labels in auth-zone
Michael Tokarev
mjt at tls.msk.ru
Tue Nov 8 19:01:23 UTC 2022
Hello!
I'm not sure for the right wording used in $subject, but the issue is here,
let me describe it.
auth-zone:
name: "dom"
primary: <primary-ip>
zonefile: "dom.cached"
for-downstream: no
With this config, and with "dom" containing the following
3 records (+ all the right DNSSEC ones):
a.x A 127.0.0.1
y A 127.0.0.1
b.y A 127.0.0.1
query for foo.y.dom (non-existing) return NXDOMAIN, but
query for foo.x.dom (also non-existing) return TEMPFAIL,
with the following in the log:
unbound: [73699:0] debug: NameError response has failed to prove: covering wildcard does not exist
unbound: [73699:0] debug: NODATA response failed to prove NODATA status with NSEC/NSEC3
unbound: [73699:0] info: validate(nxdomain): sec_status_bogus
(with many other debugging info omitted).
The difference between foo.x.dom and foo.y.dom is that the
intermediate label in first case (x.dom) does not have its
own records, while in the second case (y.dom) does have an
A record. So for any subdomain of a label which does not have
its own records but which exists, unbound fails to validate
NXDOMAIN.
This smells like a wrong behavior?
Thanks!
/mjt
More information about the Unbound-users
mailing list