Re: [dnsext] [DNSOP] RFC2308/6604 violation in NSD and BIND?
Peter van Dijk <peter.van.dijk@netherlabs.nl> Fri, 26 October 2012 14:10 UTC
Return-Path: <peter.van.dijk@netherlabs.nl>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A1D221F853B for <dnsext@ietfa.amsl.com>; Fri, 26 Oct 2012 07:10:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.252
X-Spam-Level:
X-Spam-Status: No, score=-2.252 tagged_above=-999 required=5 tests=[AWL=0.348, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T4u-S21l4k0b for <dnsext@ietfa.amsl.com>; Fri, 26 Oct 2012 07:10:10 -0700 (PDT)
Received: from shannon.7bits.nl (shannon.7bits.nl [IPv6:2a01:1b0:202:40::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1017621F8539 for <dnsext@ietf.org>; Fri, 26 Oct 2012 07:10:09 -0700 (PDT)
Received: from [IPv6:2001:980:906e:1:e008:f489:ceeb:93a4] (unknown [IPv6:2001:980:906e:1:e008:f489:ceeb:93a4]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: peter) by shannon.7bits.nl (Postfix) with ESMTPSA id 1AD001BB53; Fri, 26 Oct 2012 16:10:08 +0200 (CEST)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: Peter van Dijk <peter.van.dijk@netherlabs.nl>
In-Reply-To: <alpine.LFD.2.02.1210260940190.7864@bofh.nohats.ca>
Date: Fri, 26 Oct 2012 16:10:08 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <F2F353F2-F434-4F26-AFC6-B5BEFE6B5035@netherlabs.nl>
References: <54B9D70A-8A29-4778-B054-E0CF4407A7AD@netherlabs.nl> <alpine.LFD.2.02.1210260909570.6690@bofh.nohats.ca> <F5E1B738-951F-4AEB-A0B4-842DF85C95E8@netherlabs.nl> <alpine.LFD.2.02.1210260940190.7864@bofh.nohats.ca>
To: dnsext@ietf.org
X-Mailer: Apple Mail (2.1278)
Cc: paul@nohats.ca
Subject: Re: [dnsext] [DNSOP] RFC2308/6604 violation in NSD and BIND?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Oct 2012 14:10:12 -0000
Hello Paul, moved this reply to dnsext too, as requested by Olafur. On Oct 26, 2012, at 16:01 , Paul Wouters wrote: >> nxdomain.example.com does not exist. >> >>> How would offline signers deal with this? Pregenerate nsec records >>> for data that _is_ in the zone? >> >> Offline signers would already have generated the NSEC(3) that denies existence >> of nxdomain.example.com, simply by virtue of the name not existing in the >> zone. > > But wouldn't the chain be built based on LHS? Let's check opendnssec: > > [root@nohats signed]# ldns-nsec3-hash cname.nohats.ca. -t 5 > javgjvs1ictdbmts0fcjome4s37kndg0. > [root@nohats signed]# grep javg nohats.ca javgjvs1ictdbmts0fcjome4s37kndg0.nohats.ca. 3600 IN NSEC3 1 0 5 - jn89c3qpvavcumn3cv172r7gbu8h6ffs CNAME RRSIG javgjvs1ictdbmts0fcjome4s37kndg0.nohats.ca. 3600 IN RRSIG NSEC3 8 3 3600 20121109223118 20121026121347 52368 nohats.ca. zjkB06zMPYIAdtGnWoA3wRqe2Fg5y4Y7R21qaQovhqXtijwMQJfukhKA4OWO4oj5DVL/v0WTZRJII64XuAUzVs9RZMAcCuDceR0BdAT5CgjbkvEwgq08/PI06hXvScTjPzFSRPPfRJ3ViAinFDPd2JZHgMkTO9Wen0KkVPH/vhc= > ioukpqjt07l1b83ppfd1grdcc57864ja.nohats.ca. 3600 IN NSEC3 1 0 5 - javgjvs1ictdbmts0fcjome4s37kndg0 A RRSIG > > So cname.nohats.ca is part of the nsec3 chain. > > So in some sense, the record "exists". I guess validators would have to > be very careful handling the NXDOMAIN, they might decide it is spoofed > because they have an existing NSEC/NSEC3 entry for it. > > Odd corner case. There is no corner case. The NXDOMAIN is about the last name in the CNAME chain (RFC2308 1) or the last lookup done in optionally following the chain (RFC6604 3), not about the original QNAME. In your zone you have: cname.nohats.ca. 5 IN CNAME doesnotexist.nohats.ca. cname.nohats.ca exists and is an entry in your NSEC3 chain. doesnotexist.nohats.ca does not exist and is denied by your NSEC3 chain: doesnotexist.nohats.ca (5jng314a18r89qab1ilhe54l393kfu8a) denied by 4nbrqak4o1esr5qpg452fucnh8k23d15..6hlm0p5e9c1f3haq64ci0puo97lmtp8g As for validators, they are not supposed to look at the RCODE anyway. The actual error status ('no such record type' or 'no such name') can always be derived from the NSEC(3) records provided. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
- Re: [dnsext] [DNSOP] RFC2308/6604 violation in NS… Peter van Dijk
- Re: [dnsext] [DNSOP] RFC2308/6604 violation in NS… Olafur Gudmundsson
- Re: [dnsext] [DNSOP] RFC2308/6604 violation in NS… Peter van Dijk
- Re: [dnsext] [DNSOP] RFC2308/6604 violation in NS… Paul Wouters
- Re: [dnsext] [DNSOP] RFC2308/6604 violation in NS… Matthijs Mekking