Maintained by: NLnet Labs

[Unbound-users] Strange validation failures for some wildcard CNAMEs

Casey Deccio
Mon Sep 22 14:39:03 CEST 2014


On Wed, Sep 17, 2014 at 12:27 PM, Casey Deccio <casey at deccio.net> wrote:

> I don't immediately see anything wrong with the complete names above.  But
> I can see that BIND and unbound both are failing validation for _
> tcp.kinderporno.cz.  I am wondering if this is perhaps due to incorrect
> handling of NSEC records associated with wildcards.
>
>
> $ dig +dnssec +noall +authority @ns.forpsi.it _tcp.kinderporno.cz | grep
> NSEC | head -1
> default._domainkey.kinderporno.cz. 3600    IN NSEC    _jabber._
> tcp.kinderporno.cz. TXT RRSIG NSEC
>
> The NSEC record returned doesn't prove that the name doesn't exist
> (NXDOMAIN) because the name (_tcp.kinderporno.cz) is in fact an ancestor
> of the next field of the NSEC record (_jabber._tcp.kinderporno.cz), as an
> empty non-terminal.  But that proof is not required for wildcard, only for
> NXDOMAIN status.
>
>

For archival purposes, the above guess was incorrect, due to an overlooking
of proper server-side wildcard processing behavior from RFC 1034, as
indicated by Ondřej, who posted reference to the same issue on the DANE WG
mailing list.  In this case, the wildcard should never have been expanded
because an ancestor of the name exists.

Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20140922/703b100a/attachment-0001.html>