[Opendnssec-user] NSEC3 records with empty Type Bit Maps field?

Sebastian Castro sebastian at nzrs.net.nz
Mon Aug 9 22:01:26 UTC 2010 

Hi:

While using Duane's tool YAZVS (http://yazvs.verisignlabs.com/) to
verify a signed version of the co.nz zone, I stepped on a curious case.

Currently I'm signing the zone with NSEC3 without Opt-Out and there are
22 NSEC3 records with an empty Type Bit Maps field representation. I
couldn't find a reference on RFC 5155 telling that value could be empty.

So a normal delegation in the signed zone will look like this:

trademe.co.nz.  86400   IN  NS  ns1.trademe.co.nz.
trademe.co.nz.  86400   IN  NS  ns2.trademe.co.nz.
trademe.co.nz.  86400   IN  NS  ns3.trademe.co.nz.
trademe.co.nz.  86400   IN  NS  ns4.trademe.co.nz.
vhquglfsgbhs4r0ri8hlphqk00kk950c.co.nz. 3600    IN  NSEC3   1 0 5
23b431f77625ad5d  vhqulb93jlf3mgckjs93bdtev0tgf22h NS
vhquglfsgbhs4r0ri8hlphqk00kk950c.co.nz. 3600    IN  RRSIG   NSEC3 7 3
3600 20100810083824 20100808175000 53435 co.nz.
WVr/+e6bFI2LnT3ie807q69+AI6azt+uG888w4sh0soy3w6rDq0DpaAK6edCsNhze1tGRbqsov2V98sK8QCb9uhWAdT+wQc5qB/rdfnSJJP36klaYqbsRZrkhRYPHgT+94GtGxspNVEMJFl5VaSTt2maGp8gIx6Jf9bub3LNwV4=

and then the next sequence of NS+NSEC3+RRSIG will follow,
but on the very few strange cases, it looks like this

oma-rapiti.co.nz.   86400   IN  NS  ns1.openhost.net.nz.
oma-rapiti.co.nz.   86400   IN  NS  ns2.openhost.net.nz.
oma-rapiti.co.nz.   86400   IN  NS  ns3.openhost.net.nz.
rbdkpg1fmijiaah7mf7n0h1ufbtbav5b.co.nz. 3600    IN  NSEC3   1 0 5
23b431f77625ad5d  rbdl6o7oqkad3u8n3bm6soo4jfhgi0h2 NS
rbdkpg1fmijiaah7mf7n0h1ufbtbav5b.co.nz. 3600    IN  RRSIG   NSEC3 7 3
3600 20100810053112 20100808175000 53435 co.nz.
ZX2zvmTnW/neN+X0Yqutxq7yqcjp+I+P0ZZZbVujfu7OX77daXe8pXhua8/uMVzsYuAcf8bO7T6ECibWLWdT+R+VEv6i4qfbEoCe19e7W8FyvK0gDhMlX9Np4CtYuY4+A6zqwn5nZfUmj9uZb5G0GDg09kbAKW3xFi9U6sOsJPQ=
;{id = 53435}

rbdl6o7oqkad3u8n3bm6soo4jfhgi0h2.co.nz. 3600    IN  NSEC3   1 0 5
23b431f77625ad5d  rbdof4uj5oj1cebdk0ud74vnnr0me7ch
rbdl6o7oqkad3u8n3bm6soo4jfhgi0h2.co.nz. 3600    IN  RRSIG   NSEC3 7 3
3600 20100810054536 20100808175000 53435 co.nz.
Db6ueQIyutV0g7STy5QwE+wL7Kf8MenFVEHAdsDEEEHmKQ4lmi4SA6pDUTjTxbSsy70iERIdRCaGH7il1W0Hr9SvXWPPIS/VuoLf1Ge9u9IfW4tla3dhesJpExgFJy9CCMPkFSIkSaPRWTJYcWAegRDqHSSDhD3r5V0vW7o8vxI=

So the sequence is NS+NSEC3+RRSIG+NSEC3_with_no_type+RRSIG.

YAZVS barks with that, named-checkzone doesn't complain,
ldns-verify-zone hasn't finished after 12 hours running.

Looks likes an OpenDNSSEC bug? is that valid or I should go and check
YAZVS dependencies for errors?


cheers,
-- 
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535

More information about the Opendnssec-user mailing list