On Jan 20 2014, Graham Clinch wrote:
I'm seeing a dnssec validation error that I can't pin down, for the
domain: newsletter.postbank.de.
Neither of http://dnsviz.net/ and
http://dnssec-debugger.verisignlabs.com/ report finding a problem, but
two (ubuntu packaged) versions of bind report a failure validating the
delegation as intentionally insecure.
I've tried versions:
BIND 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1.1
[...]
and
BIND 9.8.1-P1 built with '--prefix=/usr' '--mandir=/usr/share/man'
[...]
I can reproduce the effect with BIND 9.9.4, 9.9.4-P2, 9.9,5b1.
I think the problem is as follows. The nameservers for postbank.de
generate a referral for newsletter.postbank.de which includes a
"minimally enclosing" NSEC3 like this:
o27g5ei98muhh7iemoihmbn83qndjsv1.postbank.de. 3600 IN NSEC3 1 0 1 \
8BB5BA1AF57572EE O27G5EI98MUHH7IEMOIHMBN83QNDJSV2
The salt is generated dynamically (different each time) and doesn't
match postbank.de's NSEC3PARAM, but that shouldn't matter. What
*does* matter is that the NSEC3 "proves" that there are no NS
records as well (as no DS ones) for newsletter.postbank.de
(despite the fact that the NS records are included in the referral).
Note the absence of opt-out in the NSEC3.
--
Chris Thompson
Email: c...@cam.ac.uk
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users