validating nxdomain for subdomains of data-less labels in auth-zone
George (Yorgos) Thessalonikefs
george at nlnetlabs.nl
Fri Nov 11 11:31:50 UTC 2022
Hi Michael,
Without having anything specific to look at I would guess that Unbound
is doing the right thing and that the signing part is not properly
creating NSEC/NSEC3 for the Empty Non Terminal 'x.dom.'.
Best regards,
-- Yorgos
On 08/11/2022 20:01, Michael Tokarev via Unbound-users wrote:
> Hello!
>
> I'm not sure for the right wording used in $subject, but the issue is here,
> let me describe it.
>
> auth-zone:
> name: "dom"
> primary: <primary-ip>
> zonefile: "dom.cached"
> for-downstream: no
>
> With this config, and with "dom" containing the following
> 3 records (+ all the right DNSSEC ones):
>
> a.x A 127.0.0.1
> y A 127.0.0.1
> b.y A 127.0.0.1
>
> query for foo.y.dom (non-existing) return NXDOMAIN, but
> query for foo.x.dom (also non-existing) return TEMPFAIL,
> with the following in the log:
>
> unbound: [73699:0] debug: NameError response has failed to prove:
> covering wildcard does not exist
> unbound: [73699:0] debug: NODATA response failed to prove NODATA
> status with NSEC/NSEC3
> unbound: [73699:0] info: validate(nxdomain): sec_status_bogus
>
> (with many other debugging info omitted).
>
> The difference between foo.x.dom and foo.y.dom is that the
> intermediate label in first case (x.dom) does not have its
> own records, while in the second case (y.dom) does have an
> A record. So for any subdomain of a label which does not have
> its own records but which exists, unbound fails to validate
> NXDOMAIN.
>
> This smells like a wrong behavior?
>
> Thanks!
>
> /mjt
More information about the Unbound-users
mailing list