Re: [DNSOP] How Slack didn't turn on DNSSEC

Philip Homburg <> Wed, 01 December 2021 10:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DB1433A097E for <>; Wed, 1 Dec 2021 02:47:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XcuXKnUJe-iT for <>; Wed, 1 Dec 2021 02:46:58 -0800 (PST)
Received: from ( [IPv6:2001:981:201c:1:2a0:c9ff:fe9f:17a9]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4F4FE3A0963 for <>; Wed, 1 Dec 2021 02:46:56 -0800 (PST)
Received: from (localhost [::ffff:]) by with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305) (Smail #158) id m1msN8S-0000HPC; Wed, 1 Dec 2021 11:46:48 +0100
Message-Id: <>
From: Philip Homburg <>
References: <> <>
In-reply-to: Your message of "Wed, 1 Dec 2021 19:35:52 +1100 ." <>
Date: Wed, 01 Dec 2021 11:46:47 +0100
Archived-At: <>
Subject: Re: [DNSOP] How Slack didn't turn on DNSSEC
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 01 Dec 2021 10:47:03 -0000

> Also stop hiding this
> breakage. Knot and unbound ignore the NSEC records which trigger
> this when synthesising.  All it does is push the problem down the
> road and makes it harder for others to do proper synthesis based
> on the records returned.

I'm confused what this means. In the report from Slack about the incident
I found that the problem started with a bad NSEC record, shown in their
debug output as:   2370    IN      NSEC    \ RRSIG NSEC

This is returned in response to a AAAA query. The intent was that the NSEC
record should have the 'A' bit as well.

What exactly do Knot and Unbound ignore in this case?

Is it that they should have special processing for an NSEC that has only
RRSIG and NSEC and nothing more?