Dear all, BIND9 (and not Unbound, PowerDNS Recursor, Google Public DNS) is failing to validate the following non-existent domain name:
dig @184.105.193.73 ABCD._openpgpkey.posteo.de A +dnssec ; <<>> DiG 9.8.3-P1 <<>> @184.105.193.73 ABCD._openpgpkey.posteo.de A +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27284 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;ABCD._openpgpkey.posteo.de. IN A ;; Query time: 3549 msec ;; SERVER: 184.105.193.73#53(184.105.193.73) ;; WHEN: Tue Oct 11 10:58:45 2016 ;; MSG SIZE rcvd: 55 The above test has been done on the DNS-OARC [1] open resolver but I get the same result on my local BIND9. [1] https://www.dns-oarc.net/oarc/services/odvr I believe, the reason for the validation error for the above domain name is because of an obsolete NSEC3 record from the authoritative name server of _openpgpkey.posteo.de: dig @185.67.36.41 ABCD._openpgpkey.posteo.de ANY +dnssec ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.8.3-P1 <<>> @185.67.36.41 ABCD._openpgpkey.posteo.de ANY +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 751 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;ABCD._openpgpkey.posteo.de. IN ANY ;; AUTHORITY SECTION: _openpgpkey.posteo.de. 300 IN SOA ns01a.posteo-dns.de. hostmaster.posteo.de. 1476148232 7200 1800 3542400 3600 _openpgpkey.posteo.de. 300 IN RRSIG SOA 8 3 300 20161020000000 20160929000000 39156 _openpgpkey.posteo.de. mtJ6uTTodTwWtl8k7COvcXRAPBqE1X3mZHMSU7vaaXy84uAucNIAncT+ 9+e9rn0CcKhG+iOe9YWXPQe3dbzv08IAd3NjvwipE6sasIqFbV3rag6K gbYJPSXcVKL6qI+LQaIgf1hT+J+IbfwiJOFz+VH4/ydGvgOnx2fhcYHe GJNbMtRxgzewgRvP/3wplJi9K5g4fteE0AL37Iv622XU5j0HeySVondg WL8Qd2Q9PVzqFNo2RRft11uo4m42iwNVDoaeJW1tv17K0KtZ2YhGkvOy 1o7D0PiY16/qYimjIacHrQddQ0urO/81Hu6L3iSwDGHCQc53lh259l+u OCiIzg== 4aibkdjvtss07hsoloi1fslaf8p9uo5p._openpgpkey.posteo.de. 3600 IN NSEC3 1 0 250 1163B90DC54B41E0 U8Q7VA83M9L20BMQQS8DMRS75CC5B6C2 NS SOA RRSIG DNSKEY NSEC3PARAM 4aibkdjvtss07hsoloi1fslaf8p9uo5p._openpgpkey.posteo.de. 3600 IN RRSIG NSEC3 8 4 3600 20161020000000 20160929000000 39156 _openpgpkey.posteo.de. liJ1qtI+iQxHNPsdtS4X7hKnRDqiXqR3Cwhhb5L0hgu1Lrlqsr2Wn0yI Gh9R7IP5Fuq6zEG3EpiWWxGhrTbsIZFZoOxNxA6GkjjEDShUZgTQw0T8 MhtlBylcrkNr0vRSoUPMxMh7iAYaldBpRGcrbQTGbygtzyqdQuFhM5cP OvrRHrK7Ajs561me4Da3NPGdkTPFMd38bCU0zeyH1585t8SKCc1SdZt9 fdx4g4+pK/slv1yeTSA9iZ8QeL1bSdDqI4BTzgSpqlJ+eUn41C/P1SLf yOdLqz9f/580W3/66lSJ70SiaJwySJKLBlYTAW57+0xCea5MTxAkD016 j4Nl/g== u8q7va83m9l20bmqqs8dmrs75cc5b6c2._openpgpkey.posteo.de. 3600 IN NSEC3 1 0 250 1163B90DC54B41E0 U8Q7VA83M9L20BMQQS8DMRS75CC5B6C2 NS SOA RRSIG DNSKEY NSEC3PARAM u8q7va83m9l20bmqqs8dmrs75cc5b6c2._openpgpkey.posteo.de. 3600 IN RRSIG NSEC3 8 4 3600 20161020000000 20160929000000 39156 _openpgpkey.posteo.de. Z0GoiBrWk9prhWLMZlZReKvDJEAt3UIxdW1qA7IMAWCv+5ahCwsM1IFG 5p1jPR4QSKwBDuB9ypYsNQMhtATN1EsieCxfwfWJbbUeHuJXD48EFIYl ccHI40Ez6HNleF1nUlVCnme7+yW8JotS5cD6ojyiG8huuUOA0wrTs/bx U28jvPVfuPpt9ZPZuehfp7A1HOq4IlK32LtAqPWJQ/Cve0DWKuv/HQOv uAKenko9j+pFN8N4s61j9TC7ebFTNwD0QXhinvQ1aU1O5DrNj4PFb7ON 8CgApOtU36Fj1cXgt2ZeCqAWF+5Jahtefz6CJnedpVfxq4ohWAyhXf6Z ho+OjA== ;; Query time: 36 msec ;; SERVER: 185.67.36.41#53(185.67.36.41) ;; WHEN: Tue Oct 11 10:51:28 2016 ;; MSG SIZE rcvd: 1222 The last NSEC3 records seems rather strange to me: u8q7va83m9l20bmqqs8dmrs75cc5b6c2._openpgpkey.posteo.de. 3600 IN NSEC3 1 0 250 1163B90DC54B41E0 U8Q7VA83M9L20BMQQS8DMRS75CC5B6C2 NS SOA RRSIG DNSKEY NSEC3PARAM That looks like a loop! Apart from that, the first NSEC3 record already proofed that the domain does not exist. I'm not entirely sure this is the reason BIND9 fails to validate this record. However, given that other recursive name server resolve this domain name I'm wondering if BIND9 is too strictly validating? Thank you, Daniel _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
