Maintained by: NLnet Labs

[Unbound-users] Strange validation errors for proofs of non-existence in .com, .net, .org TLD (is it due to NSEC3 opt-out or I am missing some trust anchor?)

W.C.A. Wijngaards
Thu Jan 3 09:01:29 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ondrej,

On 01/02/2013 06:31 PM, Ondrej Mikle wrote:
> i) Something has changed in the com/net/org TLD with the NSEC3
> around 3 months back, probably by setting the opt-out bit on NSEC3
> records or creating more gaps with NSEC3 records that have the
> opt-out bit set. I should have some old scan of .com TLD, but it'll
> take me some time to retrieve it and compare the records.
> 
> ii) Some old version of unbound does not handle this case and sets
> the AD flag (see below).
> 
> I am fairly sure that the com/net/org non-existent validation was
> "working" 3-4 months ago, some other people I asked remember it
> this way, too (I used it quite a lot for testing DNSSEC Validator
> and other SW). I wrote "working" in quotes because I'm not 100%
> sure if it was due to a change in the zones or a bug/missing
> feature in unbound or bind. Though I think bind did validate the
> nonexistent com/net/org domains as well back then.
> 
>> The machine at 193.29.206.206 that sets the AD flag for optout
>> NSEC3 NXDOMAIN fails to implement RFC5155.
> 
> I've just asked admins today and the 193.29.206.206 machine runs
> unbound 1.4.6-1 from Ubuntu Lucid.

So, it is a bug in an older version of unbound, which has already been
fixed (ii)?  Ah yes, in 1.4.7 there is this bugfix: Abide RFC5155
section 9.2: no AD flag for replies with NSEC3 optout.

> Does anyone know since when do the com/net/org NSEC3s have the
> opt-out bit set?

The authority servers are not the problem here, the older version of
unbound does not set the AD flag correctly for NXDOMAIN responses with
optout.

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQ5TrUAAoJEJ9vHC1+BF+NAXIP/3ve1GrzZDZRfl8epqDAsl5u
7wQyUBL6xUmqW2h2kqaxmdiKgQITZ39pUJO9uYxFXaMjaDMO4XSkydL56II+vXp6
R0EeoWMpZMaySNJnKgs+o8jFiRNAIt4CIZgXzMLSCgLyTjZucHuF9hHlaMqv1CJ9
WMtvs/dKN/EvbnCBCqS/m+zSCOpovuxLua1zctExw+d9dbmJ18vBJVx5cP9gDPiV
bln4DwaEGM3I5lcxD8b/aEZKs5s+eYNOLm1AD3i+To62NRtYIJkAWLVcp2znM8j2
h6ykPhdaSDP8m0SvJQWY6mZ2nnk1EgvILCzCZYUGpETSuLKAbdUlaZE1foMlxTqq
6av4poLMEc1ltcUnBn+oiprqk3Hu0VAMMdJmAGH/LnhThy/6usRupavaJi3FNWrm
WpCKV6eMQPH5GGZmtUJJjshUGcRFC2KawnQBoRgE6UAPRZlY53le7qZvw4Wt26ck
uDcckPZCwyAUiuFkts1fRq06Yl9okyQfeWbzbC+5H+SckCDFY1gWfGGqZZVNQZ9q
Ub3cAeRCb6KoHU2TE27y7ofPGZp4XgS9VCiKtDf5t0MAaS9/S59OGOzvVPPa2Fjh
mgPdzdEgfiIulk6MsQHIFVbkTslIKZl/YzgKm7Wceoo8E0mEMkfChqVhkNGECsR7
ym2OdL1jttQy1YW8TYSY
=JTbF
-----END PGP SIGNATURE-----