[Opendnssec-user] nsec3 records for insecure empty non-terminal
Emil Natan
shlyoko at gmail.com
Tue Aug 30 13:21:00 UTC 2016
Hello,
Running ODS 1.4.9. I know 1.4.10 is out (as well 2.x.x) but I do not see
anything related to the issue mentioned in the Changelog, so I presume
1.4.10 inherits the same behavior.
Domain example.com, contains the following insecure delegation:
sub2.sub1 IN NS ns1.yahoo.com.
Policy and signconf has optout set:
<Denial>
<NSEC3>
<OptOut/>
<Resalt>P100D</Resalt>
<Hash>
<Algorithm>1</Algorithm>
<Iterations>0</Iterations>
<Salt length="0"/>
</Hash>
</NSEC3>
</Denial>
When signed with ODS, NSEC3 record is created for sub1.example.com, see
files attached.
RFC5155, Section 7.1
Each empty non-terminal MUST have a corresponding NSEC3 RR, unless
the empty non-terminal is only derived from an insecure delegation
covered by an Opt-Out NSEC3 RR.
If I understand the above correctly, NSEC3 records should not be created
for insecure delegations.
validns also recognize this as an error:
validns ../signed/example.com.zone.signed
../signed/example.com.zone.signed:22: NSEC3 without a corresponding record
(or empty non-terminal)
Any help will be highly appreciated.
Emil
p.s I'll try 1.4.10 anyway and will update if it makes any difference
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160830/190f9243/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: example.com.zone.signed
Type: application/octet-stream
Size: 6193 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160830/190f9243/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: example.com.zone
Type: application/octet-stream
Size: 333 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160830/190f9243/attachment-0001.obj>
More information about the Opendnssec-user
mailing list