In message <alpine.lsu.2.00.1401201234190.13...@hermes-2.csi.cam.ac.uk>, Tony Finch writes: > Graham Clinch <g.cli...@lancaster.ac.uk> wrote: > > > > I'm seeing a dnssec validation error that I can't pin down, for the domain: > > newsletter.postbank.de. > > Looks like a bug in BIND to me. It works out that there is no DS in the > parent then gets muddled. I note that postbank.de is in the middle of a > double-signature ZSK rollover. Dunno if that is relevant, but it is a bit > unusual.
It looks like a missing NS bit in the NSEC3 record which causes the isdelegation check to fail. DNSSEC proves delegations exist, or don't exist, as the case may be unless the delegation is in a optout range. ; <<>> DiG 9.10.0a1 <<>> newsletter.postbank.de +dnssec ds ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28762 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;newsletter.postbank.de. IN DS ;; AUTHORITY SECTION: postbank.de. 8981 IN SOA ns1.postbank.de. webmaster.postbank.de. 2010022883 86400 7200 604800 86400 postbank.de. 8981 IN RRSIG SOA 7 2 86400 20140125074615 20140118074615 55913 postbank.de. MAyl9jCfxylOItqAJc/Pyb55D/KI8reTVkxLYJ2oecBzhNoKTiaYw7o9 ceU7CSXRjIwWLe6DL2SKbHKrwe8G3lYHgoYOwmV62k+TgpM9Cvr8gyV/ LdheakhaDuWYmnehF5+Q1gDWQpNwoqpBLsZxQYC9B9Lg+Q2EYJflVRKf /8o= postbank.de. 8981 IN RRSIG SOA 7 2 86400 20140126152235 20140119152235 32699 postbank.de. KWYHjij78NobHPVWt4SpPQUWCR/uxTjQ9ZlAplju25xazg4aPcN5g5Qw wQDPXNLVSMRhb6YZdfffN877a7CBlWPlRC5s488wwqT94kUHyOdIT+Oi UqNACz6i5Tmv9bf6ViS97sjF3JoAg2Uc3nDHFojVojzC6C6MG8tqmy49 0Pg= 393dv6p4d1fhr0kisru6alkuv0vq5th0.postbank.de. 8981 IN RRSIG NSEC3 7 3 86400 20140128024505 20140121024505 55913 postbank.de. fsi6k+JrX3ohDihsO0XG9Upl7UOs7ceMLAv3UBqgf/u7KCJiA/rp6kMO o9nqk0dJVPhcIKnB01aV+2/+MKsX0Df346CCVF11y2+mztL2Cem5K0dj vEnziZCYam34IhbKE+LuWTfPQFq4sUaMYDyXAsZi8anoMgwYtQTUdpRg Ego= 393dv6p4d1fhr0kisru6alkuv0vq5th0.postbank.de. 8981 IN RRSIG NSEC3 7 3 86400 20140128024505 20140121024505 32699 postbank.de. cCDLXMaENZIu31d1Qb4CStZAKxwtRScfyBAGoJ5LQ4mlAjNnnlhqyxNv ig+dnMWa24qL9TLoeBMr25cpcXrHi/+SkSJkQvpuzMf5lVFWekVPPOx1 ZcCPui+etUdrIRcB49a1ksT71STTQUI0noXKH6gZ/k5AisRoN/I/Z+TB ku4= 393dv6p4d1fhr0kisru6alkuv0vq5th0.postbank.de. 8981 IN NSEC3 1 0 1 D252CA1843C35103 393DV6P4D1FHR0KISRU6ALKUV0VQ5TH1 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Jan 21 14:20:11 EST 2014 ;; MSG SIZE rcvd: 864 > 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: > newsletter.postbank.de DS: in authvalidated > 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: > newsletter.postbank.de DS: resuming nsecvalidate > 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: > newsletter.postbank.de DS: looking for relevant NSEC3 > 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: > newsletter.postbank.de DS: looking for relevant NSEC3 > 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: > newsletter.postbank.de DS: NSEC3 proves name exists (owner) data=0 > 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: > newsletter.postbank.de DS: nonexistence proof(s) found > 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx > 0x80b044860(newsletter.postbank.de/DS): received validation completion event > 20-Jan-2014 12:18:51.415 dnssec: debug 3: validator @0x8071e8300: > dns_validator_destroy > 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx > 0x80b044860(newsletter.postbank.de/DS): nonexistence validation OK > > ... right ... > > 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx > 0x80b044860(newsletter.postbank.de/DS): clone_results > 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx > 0x80b044860(newsletter.postbank.de/DS): done > 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx > 0x80b044860(newsletter.postbank.de/DS): stopeverything > 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx > 0x80b044860(newsletter.postbank.de/DS): cancelqueries > 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx > 0x80b044860(newsletter.postbank.de/DS): sendevents > 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx > 0x80ac04000(postbank.de/DNSKEY): doshutdown > 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx > 0x80ac04000(postbank.de/DNSKEY): stopeverything > 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx > 0x80ac04000(postbank.de/DNSKEY): cancelqueries > 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx > 0x80ac04000(postbank.de/DNSKEY): unlink > 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx > 0x80ac04000(postbank.de/DNSKEY): destroy > 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x80bb74500: > newsletter.postbank.de A: in dsfetched2: ncache nxrrset > 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x80bb74500: > newsletter.postbank.de A: resuming proveunsecure > 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x80bb74500: > newsletter.postbank.de A: insecurity proof failed > > ... what? ... > > 20-Jan-2014 12:18:51.416 resolver: debug 3: fetch 0x801859ff0 (fctx > 0x80b044860(newsletter.postbank.de/DS)): destroyfetch > 20-Jan-2014 12:18:51.416 resolver: debug 3: fctx > 0x80b044860(newsletter.postbank.de/DS): shutdown > 20-Jan-2014 12:18:51.416 resolver: debug 3: fctx > 0x80b044430(newsletter.postbank.de/A): received validation completion event > 20-Jan-2014 12:18:51.416 dnssec: debug 3: validator @0x80bb74500: > dns_validator_destroy > 20-Jan-2014 12:18:51.416 resolver: debug 3: fctx > 0x80b044430(newsletter.postbank.de/A): validation failed > 20-Jan-2014 12:18:51.416 resolver: debug 3: fctx > 0x80b044430(newsletter.postbank.de/A): add_bad > 20-Jan-2014 12:18:51.416 lame-servers: info: error (insecurity proof failed) > resolving 'newsletter.postbank.de/A/IN': 195.140.184.21#53 > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ > Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. > Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, > occasionally poor at first. > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users