[Opendnssec-user] Occluded data?

Sebastian Castro sebastian at nzrs.net.nz
Thu Oct 21 05:25:57 CEST 2010


Today our testing signing box started spitting messages like the following:

ods-signerd: occluded (non-glue non-DS) data at
classificationoffice.net.nz. NS
ods-signerd: occluded (non-glue non-DS) data at dat.net.nz. NS
ods-signerd: occluded (non-glue non-DS) data at jt.net.nz. NS
ods-signerd: update zone net.nz failed: zone data contains errors

One of the records in the unsigned zone look like this:

dat.net.nz. NS  dat.net.nz.
dat.net.nz. A
dat.net.nz. NS  delusionz.co.nz.

In the signed zone, look like this:

dat.net.nz. 86400   IN  A
dat.net.nz. 86400   IN  NS  dat.net.nz.
dat.net.nz. 86400   IN  NS  delusionz.co.nz.
6gu45a8gtd0d6dc27i3p3qklj40itftd.net.nz.    3600    IN  NSEC3   1 0 5
36e9f47c6ce8721a  6gu5sl6o269gc7ismcrofls2le8a28as A NS
6gu45a8gtd0d6dc27i3p3qklj40itftd.net.nz.    3600    IN  RRSIG   NSEC3 7
3 3600 20101016115603 20101015025000 26768 net.nz.
;{id = 26768}

(I'm aware the signatures are expired, it's not production)

After checking the Glue Clarifications draft
(http://tools.ietf.org/html/draft-ietf-dnsext-dnssec-records-11) and RFC
5936 http://tools.ietf.org/search/rfc5936#section-3.5 (thanks Hugo for
the pointer), I didn't find any reference to "occluded names."

It seems the signer considers the A record is occluding the delegation,
but from my limited point of view that's completely valid (as "narrow"

Is this a corner case that requires documentation?

Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535

More information about the Opendnssec-user mailing list