[Unbound-users] Strange validation errors for proofs of non-existence in .com, .net, .org TLD (is it due to NSEC3 opt-out or I am missing some trust anchor?)

Ondrej Mikle ondrej.mikle at nic.cz
Wed Jan 2 17:31:39 UTC 2013


On 01/02/2013 02:22 PM, W.C.A. Wijngaards wrote:
> On 01/01/2013 11:19 PM, Ondrej Mikle wrote:
>> Hi,
> 
>> I've noticed that since some time ago the queries for non-existent
>> .com, .net and .org domains no longer validate (no AD flag,
>> libunbound marks them as insecure).
> 
> It has always done that (to my knowledge): treat NSEC3 optout
> appropriately.

Hm. I tracked the reason for failing validation down to two possibilities or
combination thereof, but not sure which is true:

i) Something has changed in the com/net/org TLD with the NSEC3 around 3 months
back, probably by setting the opt-out bit on NSEC3 records or creating more gaps
with NSEC3 records that have the opt-out bit set. I should have some old scan of
.com TLD, but it'll take me some time to retrieve it and compare the records.

ii) Some old version of unbound does not handle this case and sets the AD flag
(see below).

I am fairly sure that the com/net/org non-existent validation was "working" 3-4
months ago, some other people I asked remember it this way, too (I used it quite
a lot for testing DNSSEC Validator and other SW).
I wrote "working" in quotes because I'm not 100% sure if it was due to a change
in the zones or a bug/missing feature in unbound or bind. Though I think bind
did validate the nonexistent com/net/org domains as well back then.

> The machine at 193.29.206.206 that sets the AD flag for optout NSEC3
> NXDOMAIN fails to implement RFC5155.

I've just asked admins today and the 193.29.206.206 machine runs unbound
1.4.6-1 from Ubuntu Lucid.


Does anyone know since when do the com/net/org NSEC3s have the opt-out bit set?

Ondrej

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20130102/7c22477d/attachment.bin>


More information about the Unbound-users mailing list