[Opendnssec-user] Occluded data?
Sebastian Castro
sebastian at nzrs.net.nz
Thu Oct 21 03:25:57 UTC 2010
Hi:
Today our testing signing box started spitting messages like the following:
ods-signerd: occluded (non-glue non-DS) data at
classificationoffice.net.nz. NS
ods-signerd: occluded (non-glue non-DS) data at dat.net.nz. NS
ods-signerd: occluded (non-glue non-DS) data at jt.net.nz. NS
ods-signerd: update zone net.nz failed: zone data contains errors
One of the records in the unsigned zone look like this:
dat.net.nz. NS dat.net.nz.
dat.net.nz. A 60.234.147.64
dat.net.nz. NS delusionz.co.nz.
In the signed zone, look like this:
dat.net.nz. 86400 IN A 60.234.147.64
dat.net.nz. 86400 IN NS dat.net.nz.
dat.net.nz. 86400 IN NS delusionz.co.nz.
6gu45a8gtd0d6dc27i3p3qklj40itftd.net.nz. 3600 IN NSEC3 1 0 5
36e9f47c6ce8721a 6gu5sl6o269gc7ismcrofls2le8a28as A NS
6gu45a8gtd0d6dc27i3p3qklj40itftd.net.nz. 3600 IN RRSIG NSEC3 7
3 3600 20101016115603 20101015025000 26768 net.nz.
eSLbEstFBJmToZK0LjAbekPd55rzDjse/+LbCjDgriHRjUygHbKR53jt/Vr2fLH09VyvViV0MRY4Pma2rJqp61n4x6U+dCGYcjLa/bPDkXsNgLt4UzU+6rNywDKzwXkVh6aD6DdI9Dz9MceD3eMqRr1QkgsZ+xd6BzPcyVnzFAs=
;{id = 26768}
(I'm aware the signatures are expired, it's not production)
After checking the Glue Clarifications draft
(http://tools.ietf.org/html/draft-ietf-dnsext-dnssec-records-11) and RFC
5936 http://tools.ietf.org/search/rfc5936#section-3.5 (thanks Hugo for
the pointer), I didn't find any reference to "occluded names."
It seems the signer considers the A record is occluding the delegation,
but from my limited point of view that's completely valid (as "narrow"
glue).
Is this a corner case that requires documentation?
cheers,
--
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535
More information about the Opendnssec-user
mailing list