NXDOMAIN accepted despite NSEC not covering wildcard?
Viktor Dukhovni
ietf-dane at dukhovni.org
Sat Jan 27 20:10:02 UTC 2018
Please see:
http://dnsviz.net/d/_25._tcp.mx1.marketconservative.com/WmzVYw/dnssec/
The NXDomain response contains NSEC records that cover
_tcp.mx1.marketconservative.com
but NOT
*.mx1.marketconservative.com
Here are the responses from the remote servers with RRSIGs trimmed:
@ns1.psyclonecontacts.net.[52.1.81.184]
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22871
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5
;_25._tcp.mx1.marketconservative.com. IN TLSA
marketconservative.com. SOA ns1.psyclonecontacts.net. sysadmin.marketconservative.com. [...]
dk._domainkey.mx1.marketconservative.com. NSEC mx2.marketconservative.com. [...]
marketconservative.com. NSEC _dmarc.marketconservative.com. [...]
@ns2.psyclonecontacts.net.[52.1.132.80]
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39242
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5
;_25._tcp.mx1.marketconservative.com. IN TLSA
marketconservative.com. SOA ns1.psyclonecontacts.net. sysadmin.marketconservative.com. [...]
dk._domainkey.mx1.marketconservative.com. NSEC mx2.marketconservative.com. [...]
marketconservative.com. NSEC _dmarc.marketconservative.com. [...]
Note that the second NSEC record excludes an (irrelevant) zone apex wildcard,
but not a wildcard below "mx1", so it looks to me like DNSViz may be correct,
in which case unbound should not accept this response. And yet unbound
returns NXDomain with the AD bit set:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51438
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; QUESTION SECTION:
;_25._tcp.mx1.marketconservative.com. IN TLSA
;; AUTHORITY SECTION:
marketconservative.com. SOA ns1.psyclonecontacts.net. sysadmin.marketconservative.com. 2017110101 36000 3600 1296000 3600
dk._domainkey.mx1.marketconservative.com. NSEC mx2.marketconservative.com. TXT RRSIG NSEC
marketconservative.com. NSEC _dmarc.marketconservative.com. A NS SOA MX TXT LOC RRSIG NSEC DNSKEY
And ditto with unbound-host:
$ unbound-host -v -f /usr/local/etc/unbound/root.key -t tlsa _25._tcp.mx1.marketconservative.com
Host _25._tcp.mx1.marketconservative.com not found: 3(NXDOMAIN). (secure)
I am using unbound 1.6.8 on FreeBSD.
--
Viktor.
More information about the Unbound-users
mailing list