[Opendnssec-user] Occluded data?
Matthijs Mekking
matthijs at NLnetLabs.nl
Mon Oct 25 12:17:44 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Sebastian,
Thanks for the catch. This glue is allowed because the owner of the glue
exists at the right side of the NS RRset. Should be fixed in r4136.
Best regards,
Matthijs
On 10/21/2010 05:25 AM, Sebastian Castro wrote:
> Hi:
>
> Today our testing signing box started spitting messages like the following:
>
> ods-signerd: occluded (non-glue non-DS) data at
> classificationoffice.net.nz. NS
> ods-signerd: occluded (non-glue non-DS) data at dat.net.nz. NS
> ods-signerd: occluded (non-glue non-DS) data at jt.net.nz. NS
> ods-signerd: update zone net.nz failed: zone data contains errors
>
> One of the records in the unsigned zone look like this:
>
> dat.net.nz. NS dat.net.nz.
> dat.net.nz. A 60.234.147.64
> dat.net.nz. NS delusionz.co.nz.
>
> In the signed zone, look like this:
>
> dat.net.nz. 86400 IN A 60.234.147.64
> dat.net.nz. 86400 IN NS dat.net.nz.
> dat.net.nz. 86400 IN NS delusionz.co.nz.
> 6gu45a8gtd0d6dc27i3p3qklj40itftd.net.nz. 3600 IN NSEC3 1 0 5
> 36e9f47c6ce8721a 6gu5sl6o269gc7ismcrofls2le8a28as A NS
> 6gu45a8gtd0d6dc27i3p3qklj40itftd.net.nz. 3600 IN RRSIG NSEC3 7
> 3 3600 20101016115603 20101015025000 26768 net.nz.
> eSLbEstFBJmToZK0LjAbekPd55rzDjse/+LbCjDgriHRjUygHbKR53jt/Vr2fLH09VyvViV0MRY4Pma2rJqp61n4x6U+dCGYcjLa/bPDkXsNgLt4UzU+6rNywDKzwXkVh6aD6DdI9Dz9MceD3eMqRr1QkgsZ+xd6BzPcyVnzFAs=
> ;{id = 26768}
>
> (I'm aware the signatures are expired, it's not production)
>
> After checking the Glue Clarifications draft
> (http://tools.ietf.org/html/draft-ietf-dnsext-dnssec-records-11) and RFC
> 5936 http://tools.ietf.org/search/rfc5936#section-3.5 (thanks Hugo for
> the pointer), I didn't find any reference to "occluded names."
>
> It seems the signer considers the A record is occluding the delegation,
> but from my limited point of view that's completely valid (as "narrow"
> glue).
>
> Is this a corner case that requires documentation?
>
> cheers,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJMxXVoAAoJEA8yVCPsQCW5yqsIAIR2thCFuCcaE6wXvxm/iHiz
x1wHG/gcV2ucEaGCdjlLCSSm3i5McVip9OHB1y7Wlo2GF4Q1X2ECyf+lWBFfsimk
hfSHLSXgLcvPYbkGVOqqsY5ohGyfyrmhGR/0TQCnQfrv4rxrdhTHvDN/Ms8iBluy
sEM7dAyh11ukNuS6tdlrmuy1WB20rh8dTy3k3Jux0s72rbhke0Fs5eyhvmmWLJYc
GHJm/bzeieYT9oKiMdynHk1UWrndgJ+nNfbAn7wJsgbOIW7l6wF1K8DuHpc4dfwV
bk/DwNAVKr/GiUksJZ+3VHQMdZpglserYUeat2Hw8BQ2BnK03KEkQm/0t32Ar8U=
=QVSU
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list