Re: [Pdns-dev] please review our NSEC3 changes!

Sat, 04 Aug 2012 01:09:33 -0700 

On Fri, 3 Aug 2012 11:09:03 +0200, Peter van Dijk wrote:
> these NSEC3-changes have now been merged into our SVN trunk, at
> revision 2687 (with additional work in 2688+2689, but these should not
> make a functional difference). I have asked Bert to do snapshot static
> rpm/deb builds today.

Not sure if this is just nsec3dig prdoucing confusing output or if
it's pdns itself. cmeerw.priv.at (bind zone file) only has 1 SOA and 2
NS records.

nsec3dig for x.cmeerw.priv.at then results in:

Reply to question for qname='x.cmeerw.priv.at.', qtype=TXT
Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
1       cmeerw.priv.at. IN      SOA     3600    ns.cmeerw.net. 
domain.cmeerw.net. 2010080603 3600 900 1814400 3600
1       cmeerw.priv.at. IN      RRSIG   3600    SOA 8 3 3600 20120816000000 
20120802000000 9138 cmeerw.priv.at. 
PiknjrI0vhkHv12MRdggwBQMR3wiZwpRgiWueZ42YC9DZ7ks6raLO6sRyTZfz9yo540pNy+699ztLoJ5vhamPqaXs/0sC7xIKCksEC7hJqTubQ2DfVHmO49T42qHsVuav6qXl+/9/7IAFwfB/d2iJhNlriMhkKhI27/opA93ajA=
1       8b40po8goooqdt13tad1l7j5oht0puo3.cmeerw.priv.at.        IN      NSEC3   
3600    1 1 1 ab 8B40PO8GOOOQDT13TAD1L7J5OHT0PUO3 NS SOA RRSIG DNSKEY NSEC3PARAM
1       8b40po8goooqdt13tad1l7j5oht0puo3.cmeerw.priv.at.        IN      RRSIG   
3600    NSEC3 8 4 3600 20120816000000 20120802000000 9138 cmeerw.priv.at. 
DtqaYNj0pjgwmTpD5kQqSzGIR5yjVvzT+e68sjO7/J0L2P3Gx6Ma9xGo5dHmTxKWJKzZC/B4aXpnIvSfrl4BjhuNHxujulJayLg23EepRZoZaRKOhRq6MsnQgVdNplxHXcTQb8i3a2AOUIO6XS5aiNwvVJrPAEaZcgcHcGKuWXU=
2       .       IN      OPT     32768   
== nsec3 prove/deny report follows ==
cmeerw.priv.at (8b40po8goooqdt13tad1l7j5oht0puo3) proven by base of 
8b40po8goooqdt13tad1l7j5oht0puo3..8b40po8goooqdt13tad1l7j5oht0puo3
cmeerw.priv.at (8b40po8goooqdt13tad1l7j5oht0puo3) proven by next of 
8b40po8goooqdt13tad1l7j5oht0puo3..8b40po8goooqdt13tad1l7j5oht0puo3
found closest encloser at cmeerw.priv.at
next closer is x.cmeerw.priv.at
next closer (x.cmeerw.priv.at) NOT denied
wildcard at encloser (*.cmeerw.priv.at) is NOT denied or proven

So it claims "NOT denied", but I am not sure if pdns is to blame or if
it's just nsec3dig...


Christof

-- 

http://cmeerw.org                              sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org                   xmpp:cmeerw at cmeerw.org
_______________________________________________
Pdns-dev mailing list
[email protected]
http://mailman.powerdns.com/mailman/listinfo/pdns-dev

Reply via email to