[DNSSEC-Ops] DNSSEC missing NSEC records

Brian Somers (brsomers) brsomers at cisco.com
Wed Oct 9 07:19:30 UTC 2019

Previous message: [DNSSEC-Ops] DNSSEC missing NSEC records
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

In response to my own message, it looks like there is actually no problem at all. My apologies for the noise.

My mistake was in the fact that the 17.2.in-addr.arpa NSEC record has a ‘next’ field of 71.179.2.in-addr.arpa, which in fact proves the existence of 179.2.in-addr.arpa which in turn blocks the synthesis of *.2.in-addr.arpa. This changes the required proof to denying *.179.2.in-addr.arpa and 210.179.2.in-addr.arpa, both of which are denied by that same 17.2.in-addr.arpa NSEC record.

Again, sorry for the noise.

--
Brian

From: "Brian Somers (brsomers)" <brsomers at cisco.com>
Date: Friday, October 4, 2019 at 3:56 PM
To: "dnssec-ops at afrinic.net" <dnssec-ops at afrinic.net>
Subject: DNSSEC missing NSEC records

Hi,

Hopefully this email will reach a human. In summary, I am querying your nameservers with a query who’s response is a negative result. The negative result does not supply correct NSEC proof, so the result is being thrown away. According to your web page at https://afrinic.net/dnssec, you are using standard tools, so perhaps an upgrade is necessary?

The details:

$ dig +dnssec PTR 55.210.179.2.in-addr.arpa

; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec PTR 55.210.179.2.in-addr.arpa

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13221

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 16384

;; QUESTION SECTION:

;55.210.179.2.in-addr.arpa. IN PTR

;; AUTHORITY SECTION:

2.in-addr.arpa. 529 IN SOA pri.authdns.ripe.net. dns.ripe.net. 1570034799 3600 600 864000 3600

2.in-addr.arpa. 529 IN RRSIG SOA 8 3 3600 20191018205054 20191004192054 48919 2.in-addr.arpa. XQQvfbQaC362wJKmA/77JlP4kL3EFsmAs3+ByNfUreFxDYAa/no6PqFO OkyL9n0TYnaxT66vNCktUscMQvO1M5gNJ19tPDlZA+pVN2nzGZZzfUql WJl9EwfyLFkO2ZmwIBBdejgPtUuiS6qdg8r/4oESfEch+YgcNNJrDzTb ts4=

17.2.in-addr.arpa. 529 IN NSEC 71.179.2.in-addr.arpa. NS RRSIG NSEC

17.2.in-addr.arpa. 529 IN RRSIG NSEC 8 4 3600 20191014161051 20190930144051 48919 2.in-addr.arpa. NIK1UeZMTlTYD/TqjYHH73UUiIkwK0i5YqLWjEh+hXLgmpv9nutrXPE2 YHLSSd6Uev7RwXyfIJ7XoTymuKfeOKvUBiMz3mElf0WOoAmWgcYiCn9y AzPOca/0xJ1lV6k7IUsMdaijsOR6/FRh0adVhb4VmtSh7qJfQEM8cXOk EiU=

;; Query time: 71 msec

;; SERVER: 208.67.222.222#53(208.67.222.222)

;; WHEN: Fri Oct 04 22:37:54 UTC 2019

;; MSG SIZE rcvd: 508

The response correctly denies the existence of 179.2.in-addr.arpa and everything below it, but it does not deny the existence of *.2.in-addr.arpa (the wildcard record) which, if present, would expand to 55.210.179.2.in-addr.arpa.

This can be seen also here: https://dnssec-analyzer.verisignlabs.com/55.210.179.2.in-addr.arpa
and here: http://dnsviz.net/d/55.210.179.2.in-addr.arpa/dnssec/

Are there any plans to address this issue? Thanks for your time.

--
Brian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/dnssec-ops/attachments/20191009/09f238b6/attachment-0001.html>

Previous message: [DNSSEC-Ops] DNSSEC missing NSEC records
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the DNSSEC-Ops mailing list