On Oct 23, 2012, at 4:08 AM, Stephane Bortzmeyer <bortzme...@nic.fr> wrote:
> It may be a bug in BIND and it is certainly a bug in the zone > pcextreme.nl. > > BIND validating resolvers are unable to get the IP address of > v1.pcextreme.nl. > > I believe this is because of the strange NSEC: > > tools-newerst.pcextreme.nl. 2315 IN NSEC v2.pcextreme.nl. AAAA RRSIG > NSEC > > which says there is nothing between tools-newerst.pcextreme.nl and > v2.pcextreme.nl (and therefore no v1). > > This is inconsistent since there are also A and AAAA records for > v1.pcextreme.nl. > > I tested with a BIND and an Unbound, as well as with ODVR > <https://www.dns-oarc.net/oarc/services/odvr>. Apparently BIND always > fail and Unbound always succeed, probably because Unbound is happy > with the A record but BIND uses the (unvalidated, since there is no DS > in the parent) NSEC to disprove the domain name. > > So, the zone signature system at pcextreme.nl seems broken. So, we seem to see a fair number of distinctly "odd" DNSSEC zones -- what I'm wondering is how / why. Presumably the operators of pcextreme.nl. didn't sign their zone by hand ("All them sums are hard!"), so how does this actually happen? 1: They rolled their own signer? 2: they are using something well known that happened to fail in some odd way? 3: they cut-n-pated the signed rrset from another signed zonefile, not realizing that nsec makes a hole? My guess is on #3, what do others think? W > But is > BIND right to send back NXDOMAIN? RFC 4035, section 5.4 is not obvious > here. > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- "I think it would be a good idea." - Mahatma Ghandi, when asked what he thought of Western civilization _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
