Hello,
I discovered a problem with my DLV setup - validation of non signed
domain names fails. The special case is, that I tried to use the DLV
zone information as slave to avoid additional network traffic during
name resolution. For my tests I configured
dnssec-lookaside "." trust-anchor "dnssec.iks-jena.de."; and
zone "dnssec.iks-jena.de" {
type slave;
...
Zone transfer for this zone and lookups for zone data are working
well. I use bind 9.4.2-P1.
When I try to lookup a domain name from germany, e.g. www.stern.de I
get:
; <<>> DiG 9.4.2 <<>> www.stern.de a
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50671
Interestingly for a domain in hungary:
; <<>> DiG 9.4.2 <<>> www.vam.hu a
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9004
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
www.vam.hu. 86400 IN A 84.206.40.8
What happened you see in the log:
validating @0x91f7800: www.stern.de A: starting
validating @0x91f7800: www.stern.de A: looking for DLV
validating @0x91f7800: www.stern.de A: plain DNSSEC returns unsecure (.):
looking for DLV
validating @0x91f7800: www.stern.de A: looking for DLV
www.stern.de.dnssec.iks-jena.de
validating @0x91f7800: www.stern.de A: looking for DLV
stern.de.dnssec.iks-jena.de
validating @0x91f7800: www.stern.de A: looking for DLV de.dnssec.iks-jena.de
validating @0x91f7800: www.stern.de A: DLV lookup: empty name
validator @0x91f7800: dns_validator_destroy
validating @0x91f7800: www.stern.de A: starting
validating @0x91f7800: www.stern.de A: looking for DLV
validating @0x91f7800: www.stern.de A: plain DNSSEC returns unsecure (.):
looking for DLV
validating @0x91f7800: www.stern.de A: looking for DLV
www.stern.de.dnssec.iks-jena.de
validating @0x91f7800: www.stern.de A: looking for DLV
stern.de.dnssec.iks-jena.de
validating @0x91f7800: www.stern.de A: looking for DLV de.dnssec.iks-jena.de
validating @0x91f7800: www.stern.de A: DLV lookup: empty name
validator @0x91f7800: dns_validator_destroy
validating @0x91f7800: www.stern.de A: starting
validating @0x91f7800: www.stern.de A: looking for DLV
validating @0x91f7800: www.stern.de A: plain DNSSEC returns unsecure (.):
looking for DLV
validating @0x91f7800: www.stern.de A: looking for DLV
www.stern.de.dnssec.iks-jena.de
validating @0x91f7800: www.stern.de A: looking for DLV
stern.de.dnssec.iks-jena.de
validating @0x91f7800: www.stern.de A: looking for DLV de.dnssec.iks-jena.de
validating @0x91f7800: www.stern.de A: DLV lookup: empty name
validator @0x91f7800: dns_validator_destroy
validating @0x91f7800: www.vam.hu A: starting
validating @0x91f7800: www.vam.hu A: looking for DLV
validating @0x91f7800: www.vam.hu A: plain DNSSEC returns unsecure (.): looking
for DLV
validating @0x91f7800: www.vam.hu A: looking for DLV
www.vam.hu.dnssec.iks-jena.de
validating @0x91f7800: www.vam.hu A: looking for DLV vam.hu.dnssec.iks-jena.de
validating @0x91f7800: www.vam.hu A: looking for DLV hu.dnssec.iks-jena.de
validating @0x91f7800: www.vam.hu A: looking for DLV dnssec.iks-jena.de
validating @0x91f7800: www.vam.hu A: DLV not found
validating @0x91f7800: www.vam.hu A: marking as answer
validator @0x91f7800: dns_validator_destroy
#####
Now lets see, what we get, when I do not use a slave zone, but let
the resolver make queries to dnssec.iks-jena.de. I do not show any
DIG output, because all is working well, here is the log only:
validating @0x8c12800: www.stern.de A: starting
validating @0x8c12800: www.stern.de A: looking for DLV
validating @0x8c12800: www.stern.de A: plain DNSSEC returns unsecure (.):
looking for DLV
validating @0x8c12800: www.stern.de A: looking for DLV
www.stern.de.dnssec.iks-jena.de
validating @0x8c12800: www.stern.de A: DNS_R_COVERINGNSEC
validating @0x8c12800: www.stern.de A: covering nsec: not in range
validating @0x8c12800: www.stern.de A: DLV lookup: wait
validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: starting
validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: attempting negative
response validation
validating @0x96ec000: dnssec.iks-jena.de SOA: starting
validating @0x96ec000: dnssec.iks-jena.de SOA: attempting positive response
validation
validating @0x96ec000: dnssec.iks-jena.de SOA: keyset with trust 7
validating @0x96ec000: dnssec.iks-jena.de SOA: verify rdataset (keyid=51362):
success
validating @0x96ec000: dnssec.iks-jena.de SOA: marking as secure
validator @0x96ec000: dns_validator_destroy
validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: in authvalidated
validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: resuming
nsecvalidate
validating @0x96ec000: steps-jena.de.dnssec.iks-jena.de NSEC: starting
validating @0x96ec000: steps-jena.de.dnssec.iks-jena.de NSEC: attempting
positive response validation
validating @0x96ec000: steps-jena.de.dnssec.iks-jena.de NSEC: keyset with
trust 7
validating @0x96ec000: steps-jena.de.dnssec.iks-jena.de NSEC: verify rdataset
(keyid=51362): success
validating @0x96ec000: steps-jena.de.dnssec.iks-jena.de NSEC: marking as
secure
validator @0x96ec000: dns_validator_destroy
validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: in authvalidated
validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: looking for
relevant nsec
validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: nsec range ok
validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: resuming
nsecvalidate
validating @0x96ec000: mou.cz.dnssec.iks-jena.de NSEC: starting
validating @0x96ec000: mou.cz.dnssec.iks-jena.de NSEC: attempting positive
response validation
validating @0x96ec000: mou.cz.dnssec.iks-jena.de NSEC: keyset with trust 7
validating @0x96ec000: mou.cz.dnssec.iks-jena.de NSEC: verify rdataset
(keyid=51362): success
validating @0x96ec000: mou.cz.dnssec.iks-jena.de NSEC: marking as secure
validator @0x96ec000: dns_validator_destroy
validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: in authvalidated
validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: resuming
nsecvalidate
validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: in checkwildcard:
*.de.dnssec.iks-jena.de
validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: looking for
relevant nsec
validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: NSEC does not cover
name, before NSEC
validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: looking for
relevant nsec
validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: nsec range ok
validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: nonexistence
proof(s) found
validator @0x96eb800: dns_validator_destroy
validating @0x8c12800: www.stern.de A: in dlvfetched: ncache nxdomain
validating @0x8c12800: www.stern.de A: looking for DLV
stern.de.dnssec.iks-jena.de
validating @0x8c12800: www.stern.de A: DNS_R_COVERINGNSEC
validating @0x8c12800: www.stern.de A: covering nsec found:
'stern.de.dnssec.iks-jena.de' 'steps-jena.de.dnssec.iks-jena.de'
'supracon.de.dnssec.iks-jena.de'
validating @0x8c12800: www.stern.de A: looking for DLV de.dnssec.iks-jena.de
validating @0x8c12800: www.stern.de A: DLV lookup: wait
validating @0x96eb800: de.dnssec.iks-jena.de DLV: starting
validating @0x96eb800: de.dnssec.iks-jena.de DLV: attempting negative response
validation
validating @0x96ec000: dnssec.iks-jena.de SOA: starting
validating @0x96ec000: dnssec.iks-jena.de SOA: attempting positive response
validation
validating @0x96ec000: dnssec.iks-jena.de SOA: keyset with trust 7
validating @0x96ec000: dnssec.iks-jena.de SOA: verify rdataset (keyid=51362):
success
validating @0x96ec000: dnssec.iks-jena.de SOA: marking as secure
validator @0x96ec000: dns_validator_destroy
validating @0x96eb800: de.dnssec.iks-jena.de DLV: in authvalidated
validating @0x96eb800: de.dnssec.iks-jena.de DLV: resuming nsecvalidate
validating @0x96ec000: mou.cz.dnssec.iks-jena.de NSEC: starting
validating @0x96ec000: mou.cz.dnssec.iks-jena.de NSEC: attempting positive
response validation
validating @0x96ec000: mou.cz.dnssec.iks-jena.de NSEC: keyset with trust 7
validating @0x96ec000: mou.cz.dnssec.iks-jena.de NSEC: verify rdataset
(keyid=51362): success
validating @0x96ec000: mou.cz.dnssec.iks-jena.de NSEC: marking as secure
validator @0x96ec000: dns_validator_destroy
validating @0x96eb800: de.dnssec.iks-jena.de DLV: in authvalidated
validating @0x96eb800: de.dnssec.iks-jena.de DLV: looking for relevant nsec
validating @0x96eb800: de.dnssec.iks-jena.de DLV: nsec proves name exist (empty)
validating @0x96eb800: de.dnssec.iks-jena.de DLV: resuming nsecvalidate
validating @0x96eb800: de.dnssec.iks-jena.de DLV: nonexistence proof(s) found
validator @0x96eb800: dns_validator_destroy
validating @0x8c12800: www.stern.de A: in dlvfetched: ncache nxrrset
validating @0x8c12800: www.stern.de A: looking for DLV dnssec.iks-jena.de
validating @0x8c12800: www.stern.de A: DLV not found
validating @0x8c12800: www.stern.de A: marking as answer
validator @0x8c12800: dns_validator_destroy
validating @0xa5ee800: www.vam.hu A: starting
validating @0xa5ee800: www.vam.hu A: looking for DLV
validating @0xa5ee800: www.vam.hu A: plain DNSSEC returns unsecure (.): looking
for DLV
validating @0xa5ee800: www.vam.hu A: looking for DLV
www.vam.hu.dnssec.iks-jena.de
validating @0xa5ee800: www.vam.hu A: DNS_R_COVERINGNSEC
validating @0xa5ee800: www.vam.hu A: covering nsec found:
'www.vam.hu.dnssec.iks-jena.de' 'epages.hk.dnssec.iks-jena.de'
'rubin.org.il.dnssec.iks-jena.de'
validating @0xa5ee800: www.vam.hu A: looking for DLV vam.hu.dnssec.iks-jena.de
validating @0xa5ee800: www.vam.hu A: DNS_R_COVERINGNSEC
validating @0xa5ee800: www.vam.hu A: covering nsec found:
'vam.hu.dnssec.iks-jena.de' 'epages.hk.dnssec.iks-jena.de'
'rubin.org.il.dnssec.iks-jena.de'
validating @0xa5ee800: www.vam.hu A: looking for DLV hu.dnssec.iks-jena.de
validating @0xa5ee800: www.vam.hu A: DNS_R_COVERINGNSEC
validating @0xa5ee800: www.vam.hu A: covering nsec found:
'hu.dnssec.iks-jena.de' 'epages.hk.dnssec.iks-jena.de'
'rubin.org.il.dnssec.iks-jena.de'
validating @0xa5ee800: www.vam.hu A: looking for DLV dnssec.iks-jena.de
validating @0xa5ee800: www.vam.hu A: DLV not found
validating @0xa5ee800: www.vam.hu A: marking as answer
validator @0xa5ee800: dns_validator_destroy
####
My interpretation:
When the data from internal slave zone are read, the return value may
be DNS_R_EMPTYNAME, but the validator does not expect this.
Additional Note:
During my tests I discovered the different result codes for non
existent DLV records. It depends if other entries exists or not. This
can also be seen on ISC server:
; <<>> DiG 9.4.2 <<>> @ns-ext.isc.org. hu.dlv.isc.org. DLV
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 17889
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1
...
;; SERVER: 2001:4f8:0:2::13#53(2001:4f8:0:2::13)
; <<>> DiG 9.4.2 <<>> @ns-ext.isc.org. de.dlv.isc.org. DLV
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7813
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
...
;; SERVER: 2001:4f8:0:2::13#53(2001:4f8:0:2::13)
; <<>> DiG 9.4.2 <<>> @ns-ext.isc.org. www.stern.de.dlv.isc.org. DLV
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45108
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1
;; SERVER: 2001:4f8:0:2::13#53(2001:4f8:0:2::13)
Is the NOERROR response without answer record the expected value?
Now I'll ask my final question: It this an error in my configuration
or does it look like a problem in bind itself?
Regards,
Frank
--
Frank Behrens, Osterwieck, Germany
PGP-key 0x5B7C47ED on public servers available.
