[Opendnssec-user] nsec3 records for insecure empty non-terminal

Emil Natan shlyoko at gmail.com
Tue Aug 30 13:21:00 UTC 2016


Running ODS 1.4.9. I know 1.4.10 is out (as well 2.x.x) but I do not see
anything related to the issue mentioned in the Changelog, so I presume
1.4.10 inherits the same behavior.

Domain example.com, contains the following insecure delegation:
sub2.sub1       IN      NS      ns1.yahoo.com.

Policy and signconf has optout set:
                            <Salt length="0"/>

When signed with ODS, NSEC3 record is created for sub1.example.com, see
files attached.

RFC5155, Section 7.1

Each empty non-terminal MUST have a corresponding NSEC3 RR, unless
      the empty non-terminal is only derived from an insecure delegation
      covered by an Opt-Out NSEC3 RR.

If I understand the above correctly, NSEC3 records should not be created
for insecure delegations.
validns also recognize this as an error:
 validns ../signed/example.com.zone.signed
../signed/example.com.zone.signed:22: NSEC3 without a corresponding record
(or empty non-terminal)

Any help will be highly appreciated.


p.s I'll try 1.4.10 anyway and will update if it makes any difference
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160830/190f9243/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: example.com.zone.signed
Type: application/octet-stream
Size: 6193 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160830/190f9243/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: example.com.zone
Type: application/octet-stream
Size: 333 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160830/190f9243/attachment-0001.obj>

More information about the Opendnssec-user mailing list