validating nxdomain for subdomains of data-less labels in auth-zone

George (Yorgos) Thessalonikefs george at
Fri Nov 11 11:31:50 UTC 2022

Hi Michael,

Without having anything specific to look at I would guess that Unbound 
is doing the right thing and that the signing part is not properly 
creating NSEC/NSEC3 for the Empty Non Terminal 'x.dom.'.

Best regards,
-- Yorgos

On 08/11/2022 20:01, Michael Tokarev via Unbound-users wrote:
> Hello!
> I'm not sure for the right wording used in $subject, but the issue is here,
> let me describe it.
> auth-zone:
>   name:     "dom"
>   primary:  <primary-ip>
>   zonefile: "dom.cached"
>   for-downstream: no
> With this config, and with "dom" containing the following
> 3 records (+ all the right DNSSEC ones):
>   a.x A
>   y   A
>   b.y A
> query for foo.y.dom (non-existing) return NXDOMAIN, but
> query for foo.x.dom (also non-existing) return TEMPFAIL,
> with the following in the log:
>    unbound: [73699:0] debug: NameError response has failed to prove: 
> covering wildcard does not exist
>    unbound: [73699:0] debug: NODATA response failed to prove NODATA 
> status with NSEC/NSEC3
>    unbound: [73699:0] info: validate(nxdomain): sec_status_bogus
> (with many other debugging info omitted).
> The difference between foo.x.dom and foo.y.dom is that the
> intermediate label in first case (x.dom) does not have its
> own records, while in the second case (y.dom) does have an
> A record. So for any subdomain of a label which does not have
> its own records but which exists, unbound fails to validate
> This smells like a wrong behavior?
> Thanks!
> /mjt

More information about the Unbound-users mailing list