[DNSSEC-Ops] DNSSEC missing NSEC records

Brian Somers (brsomers) brsomers at cisco.com
Wed Oct 9 07:19:30 UTC 2019


Hi,

In response to my own message, it looks like there is actually no problem at all. My apologies for the noise.

My mistake was in the fact that the 17.2.in-addr.arpa NSEC record has a ‘next’ field of 71.179.2.in-addr.arpa, which in fact proves the existence of 179.2.in-addr.arpa which in turn blocks the synthesis of *.2.in-addr.arpa. This changes the required proof to denying *.179.2.in-addr.arpa and 210.179.2.in-addr.arpa, both of which are denied by that same 17.2.in-addr.arpa NSEC record.

Again, sorry for the noise.

--
Brian

From: "Brian Somers (brsomers)" <brsomers at cisco.com>
Date: Friday, October 4, 2019 at 3:56 PM
To: "dnssec-ops at afrinic.net" <dnssec-ops at afrinic.net>
Subject: DNSSEC missing NSEC records

Hi,

Hopefully this email will reach a human. In summary, I am querying your nameservers with a query who’s response is a negative result. The negative result does not supply correct NSEC proof, so the result is being thrown away. According to your web page at https://afrinic.net/dnssec, you are using standard tools, so perhaps an upgrade is necessary?

The details:


$ dig +dnssec PTR 55.210.179.2.in-addr.arpa



; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec PTR 55.210.179.2.in-addr.arpa

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13221

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1



;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 16384

;; QUESTION SECTION:

;55.210.179.2.in-addr.arpa. IN PTR



;; AUTHORITY SECTION:

2.in-addr.arpa. 529 IN SOA pri.authdns.ripe.net. dns.ripe.net. 1570034799 3600 600 864000 3600

2.in-addr.arpa. 529 IN RRSIG SOA 8 3 3600 20191018205054 20191004192054 48919 2.in-addr.arpa. XQQvfbQaC362wJKmA/77JlP4kL3EFsmAs3+ByNfUreFxDYAa/no6PqFO OkyL9n0TYnaxT66vNCktUscMQvO1M5gNJ19tPDlZA+pVN2nzGZZzfUql WJl9EwfyLFkO2ZmwIBBdejgPtUuiS6qdg8r/4oESfEch+YgcNNJrDzTb ts4=

17.2.in-addr.arpa. 529 IN NSEC 71.179.2.in-addr.arpa. NS RRSIG NSEC

17.2.in-addr.arpa. 529 IN RRSIG NSEC 8 4 3600 20191014161051 20190930144051 48919 2.in-addr.arpa. NIK1UeZMTlTYD/TqjYHH73UUiIkwK0i5YqLWjEh+hXLgmpv9nutrXPE2 YHLSSd6Uev7RwXyfIJ7XoTymuKfeOKvUBiMz3mElf0WOoAmWgcYiCn9y AzPOca/0xJ1lV6k7IUsMdaijsOR6/FRh0adVhb4VmtSh7qJfQEM8cXOk EiU=



;; Query time: 71 msec

;; SERVER: 208.67.222.222#53(208.67.222.222)

;; WHEN: Fri Oct 04 22:37:54 UTC 2019

;; MSG SIZE rcvd: 508

The response correctly denies the existence of 179.2.in-addr.arpa and everything below it, but it does not deny the existence of *.2.in-addr.arpa (the wildcard record) which, if present, would expand to 55.210.179.2.in-addr.arpa.

This can be seen also here: https://dnssec-analyzer.verisignlabs.com/55.210.179.2.in-addr.arpa
and here: http://dnsviz.net/d/55.210.179.2.in-addr.arpa/dnssec/

Are there any plans to address this issue? Thanks for your time.

--
Brian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/dnssec-ops/attachments/20191009/09f238b6/attachment-0001.html>


More information about the DNSSEC-Ops mailing list