[Opendnssec-user] Denial of existence
Havard Eidnes
he at uninett.no
Fri Aug 16 09:54:38 UTC 2024
> OpenDNSSEC 2.1.13 running on FreeBSD 13.3.
>
> Recently, dnsviz.net started reporting the lack of "Denial of existence" DNSSEC
> option error for all my domains:
>
> ad2h.mydomain.org/A has errors; select the "Denial of existence" DNSSEC option to
> see them.
> mydomain.org/CDNSKEY has errors; select the "Denial of existence" DNSSEC option
> to see them.
> mydomain.org/CDS has errors; select the "Denial of existence" DNSSEC option to
> see them.
> mydomain.org/AAAA has errors; select the "Denial of existence" DNSSEC option to
> see them.
> mydomain.org/CNAME has errors; select the "Denial of existence" DNSSEC option to
> see them.
>
> Is this due to TTL commented in my kasp.xml or I miss some other settings?
It's commented out, so that ought not be the issue.
> <Denial>
> <NSEC3>
> <!-- <TTL>PT0S</TTL> -->
> <!-- <OptOut/> -->
> <Resalt>P100D</Resalt>
> <Hash>
> <Algorithm>1</Algorithm>
> <Iterations>5</Iterations>
> <Salt length="8"/>
> </Hash>
> </NSEC3>
> </Denial>
However, you didn't quote what the <Denial> stanza in your
<Policy>'s <Signature> / <Validity> entry looks like. Mine looks
like this:
<Policy name="xxx">
<Signatures>
...
<Validity>
<Default>P21D</Default>
<Denial>P21D</Denial>
</Validity>
...
and I don't think I'm seeing this issue flagged from dnsviz.net.
We're also running OpenDNSSEC 2.1.13.
The current operational recommendation is to use
<Iterations>0</Iterations>, though, ref. RFC 9276 section 3.1.
Hm, I notice that the recomendation is also to have a zero salt
length, see the same RFC.
Transitioning from this config to the new, if you do OpenDNSSEC
as a "bump on the wire", you may need to remove OpenDNSSEC's
temporary files (copies of zones + parameters), and re-transfer
them by restarting OpenDNSSEC. "Buyer beware!" (I had to do
that when going to Iterations=0, anyway. Your mileage may vary.)
Regards,
- Håvard
More information about the Opendnssec-user
mailing list