Interesting observation Puneet, thank you. I'm bringing this up internally within Route 53 so we can take a look.
Gavin On Mon, Jun 21, 2021 at 4:55 PM Puneet Sood via dns-operations < dns-operati...@dns-oarc.net> wrote: > > > > ---------- Forwarded message ---------- > From: Puneet Sood <pune...@google.com> > To: dns-operations <dns-operati...@dns-oarc.net> > Cc: > Bcc: > Date: Mon, 21 Jun 2021 19:45:44 -0400 > Subject: Inconsistent NSEC response for unsigned zone from AWS > Hello dnssec experts, > > I am noticing an inconsistent NSEC response in a delegation. Depending > on the RR type specified in the query the response includes NS in the > set of RR types in the NSEC RR proving the absence of the <name>/DS > record. Is this behavior below within what nameservers can return? > Ideally all cases will list the NS RR type in the NSEC record. > > I suspect the absence of NS in the NSEC is confusing our NSEC checking > logic. Validation is working correctly but in a suboptimal fashion. > > **** Example domain: corp.ibexglobal.com > > $ dig ns corp.ibexglobal.com +short > ns-1415.awsdns-48.org. > ns-1804.awsdns-33.co.uk. > ns-29.awsdns-03.com. > ns-945.awsdns-54.net. > > **** With type NS, NS not included in NSEC RR. > > $ dig corp.ibexglobal.com -t NS +dnssec +nocrypto +nocomment > @ns-725.awsdns-26.net. > > ;corp.ibexglobal.com. IN NS > corp.ibexglobal.com. 172800 IN NS ns-1415.awsdns-48.org. > corp.ibexglobal.com. 172800 IN NS ns-1804.awsdns-33.co.uk. > corp.ibexglobal.com. 172800 IN NS ns-29.awsdns-03.com. > corp.ibexglobal.com. 172800 IN NS ns-945.awsdns-54.net. > corp.ibexglobal.com. 86400 IN NSEC > \000.corp.ibexglobal.com. RRSIG NSEC > corp.ibexglobal.com. 86400 IN RRSIG NSEC 13 3 86400 > 20210623002754 20210621222754 36517 ibexglobal.com. [omitted] > > **** With type DS or A, NS included in NSEC RR. > > $ dig corp.ibexglobal.com -t A +dnssec +nocrypto +nocomment > @ns-725.awsdns-26.net. > ;corp.ibexglobal.com. IN A > corp.ibexglobal.com. 172800 IN NS ns-1415.awsdns-48.org. > corp.ibexglobal.com. 172800 IN NS ns-1804.awsdns-33.co.uk. > corp.ibexglobal.com. 172800 IN NS ns-29.awsdns-03.com. > corp.ibexglobal.com. 172800 IN NS ns-945.awsdns-54.net. > corp.ibexglobal.com. 86400 IN NSEC > \000.corp.ibexglobal.com. NS RRSIG NSEC > corp.ibexglobal.com. 86400 IN RRSIG NSEC 13 3 86400 > 20210623002809 20210621222809 36517 ibexglobal.com. [omitted] > > $ dig corp.ibexglobal.com -t DS +dnssec +nocrypto +nocomment > @ns-725.awsdns-26.net. > ;corp.ibexglobal.com. IN DS > ibexglobal.com. 900 IN SOA ns-380.awsdns-47.com. > awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 > ibexglobal.com. 900 IN RRSIG SOA 13 2 900 > 20210622004320 20210621222820 36517 ibexglobal.com. [omitted] > corp.ibexglobal.com. 86400 IN NSEC > \000.corp.ibexglobal.com. NS RRSIG NSEC > corp.ibexglobal.com. 86400 IN RRSIG NSEC 13 3 86400 > 20210623002820 20210621222820 36517 ibexglobal.com. [omitted] > > Thanks, > Puneet > > > > ---------- Forwarded message ---------- > From: Puneet Sood via dns-operations <dns-operati...@dns-oarc.net> > To: dns-operations <dns-operati...@dns-oarc.net> > Cc: > Bcc: > Date: Mon, 21 Jun 2021 19:45:44 -0400 > Subject: [dns-operations] Inconsistent NSEC response for unsigned zone > from AWS > _______________________________________________ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations >
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
