Hi Folks, I think we can wrap this up thanks to assistance from the reporting site - they're running BIND 9.8.1-P1 (stock package in Ubuntu 12.04 LTS).
This means they don't have the following fix, which appeared in 9.8.2b1. 3175. [bug] Fix how DNSSEC positive wildcard responses from a NSEC3 signed zone are validated. Stop sending a unnecessary NSEC3 record when generating such responses. [RT #26200] I can recreate the problem with a validating resolver running 9.8.1-P1 (Ubuntu 12.04), and the problem is not present using 9.8.2rc1 (stock package in CentOS 6), so I'm fairly sure it's this bug. (For posterity, validation fails with "validating @0x7f4b44014fe0: foo.cnametest.lancs.ac.uk A: noqname proof not found", whilst "validating @0x7f2b3c0008b0: foo.cnametest.lancs.ac.uk A: closest encloser from wildcard signature 'cnametest.lancs.ac.uk'" is *not* logged) The stock Ubuntu configuration is to enable validation (this is good), unfortunately 12.04 LTS is supposedly being (security?) supported into 2017, so it could be quite a while before sites (even the ones who perform package updates regularly) advance into a situation of being able to resolve our wildcard entries. The most recent Ubuntu LTS (14.04) is not affected. I have logged an Ubuntu bug[1] to request this fix is 'back ported' into 12.04. To give a sizing hint on the probabilistic risk of being affected, lancs.ac.uk (an affected zone) has ~50,000 unique owner names, whilst palatine.ac.uk (unaffected), has ~10. We signed lancs.ac.uk in early/mid September, and this is the first real report of DNSSEC-related issues I've seen. > delv +vtrace continues to report "NSEC3 at super-domain" only for > foo.cnametest2.palatine.ac.uk <http://foo.cnametest2.palatine.ac.uk> > records, and not for > foo.cnametest2.lancs.ac.uk <http://foo.cnametest2.lancs.ac.uk>. Is > this a similar > miscalculating-the-owner-name as for DNSViz? > > > Don't know, but I would guess that this is simply recognizing the fact > that in addition to covering the non-existent name, the NSEC3 record > also happens to correspond to palatine.ac.uk <http://palatine.ac.uk>. delv reports the validation as succeeding, so after further reflection I believe this additional message is merely a helpful (?to whom?) diagnostic. Unfortunately there's no obvious (to me, at least) distinction between 'debug', 'interesting' and 'this is where it's gone wrong' log levels in delv +vtrace's output (but I'm not really complaining that much). Graham [1] https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1395216 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users