Maintained by: NLnet Labs

[Unbound-users] Strange validation errors for proofs of non-existence in .com, .net, .org TLD (is it due to NSEC3 opt-out or I am missing some trust anchor?)

Ondrej Mikle
Thu Jan 3 14:08:12 CET 2013


On 01/03/2013 09:01 AM, W.C.A. Wijngaards wrote:
> On 01/02/2013 06:31 PM, Ondrej Mikle wrote:
> 
>>> The machine at 193.29.206.206 that sets the AD flag for optout
>>> NSEC3 NXDOMAIN fails to implement RFC5155.
> 
>> I've just asked admins today and the 193.29.206.206 machine runs
>> unbound 1.4.6-1 from Ubuntu Lucid.
> 
> So, it is a bug in an older version of unbound, which has already been
> fixed (ii)?  Ah yes, in 1.4.7 there is this bugfix: Abide RFC5155
> section 9.2: no AD flag for replies with NSEC3 optout.

Thanks, this is likely the reason I remember the validation "working". I went
through some of older recorded scans of .com from May and the .com NSEC3s were
'insecure' back then, too. I'd guess it will be the same with .net TLD.

Ondrej

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20130103/f9b555e3/attachment.pgp>