[ldns-users] validating nsec responses with drill

Kal Feher kal at securenic.net
Thu May 22 12:09:04 UTC 2014 

Hello list,
I’ve been trying to get to the bottom of some odd behaviour with drill.
The behaviour I’m seeing appears to be limited to verifying nsec responses. When issuing the following query:
drill -a -4 -V 5 -d us -k uskey -TD 0.us
I receive the following response (trimmed for clarity):

;; AUTHORITY SECTION:
us.     900     IN      SOA     a.cctld.us. hostmaster.neustar.biz. 2011722984 900 900 604800 86400
us.     900     IN      RRSIG   SOA 5 1 900 20140621111356 20140522101356 28350 US. C44LuFw7+/QekEvR
US.     86400   IN      NSEC    0-.us. NS SOA RRSIG NSEC DNSKEY TYPE65534 
us.     86400   IN      RRSIG   NSEC 5 1 86400 20140617202559 20140518200713 28350 US. SjkrioUZ4T

;; Existence of data set with this name denied by NSEC
NSEC(3) Records to verify:
US.     86400   IN      NSEC    0-.us. NS SOA RRSIG NSEC DNSKEY TYPE65534 
With signatures:
correct keys:
us.     518400  IN      DNSKEY  257 3 5 AwEAAcPLfBcYsSxr3IQFL;{id = 44323 (ksk), size = 2048b}
us.     518400  IN      DNSKEY  257 3 5 AwEAAatM9tlDcd8gpSq+ ;{id = 55408 (ksk), size = 2048b}
us.     518400  IN      DNSKEY  256 3 5 AwEAAZxMuH84tkVwYuP;{id = 14358 (zsk), size = 1024b}
us.     518400  IN      DNSKEY  256 3 5 AwEAAZ6LjDKPJisyM73 ;{id = 28350 (zsk), size = 1024b}
[B] Error verifying denial of existence for 0.us. type A: No DNSSEC signature(s)
;;[S] self sig OK; [B] bogus; [T] trusted


Yet when I query for another non existent label: 
drill -a -4 -V 5 -d us -k uskey -TD 0-000.us
I have succes:

;; AUTHORITY SECTION:
us.     900     IN      SOA     a.cctld.us. hostmaster.neustar.biz. 2011722996 900 900 604800 86400
us.     900     IN      RRSIG   SOA 5 1 900 20140621111552 20140522101552 28350 US. CKhVuRK1BsCBZw8ydZ45CiEz7
US.     86400   IN      NSEC    0-.us. NS SOA RRSIG NSEC DNSKEY TYPE65534 
us.     86400   IN      RRSIG   NSEC 5 1 86400 20140617202559 20140518200713 28350 US. SjkrioUZ4TauR5c7OGhGXy
0-00.US.        86400   IN      NSEC    0-0000AKLUJVHZ.us. NS RRSIG NSEC 
0-00.US.        86400   IN      RRSIG   NSEC 5 2 86400 20140613022320 20140514021623 28350 US. Q2ixTZVctcc2pD0WgMtL7

NSEC(3) Records to verify:
0-00.US.        86400   IN      NSEC    0-0000AKLUJVHZ.us. NS RRSIG NSEC 
With signatures:
0-00.US.        86400   IN      RRSIG   NSEC 5 2 86400 20140613022320 20140514021623 28350 US. Q2ixTZVctcc2pD0WgMtL7
correct keys:
us.     518400  IN      DNSKEY  257 3 5 AwEAAcPLfBcYsSxr3IQFLeJraBpgwzHqd ;{id = 44323 (ksk), size = 2048b}
us.     518400  IN      DNSKEY  256 3 5 AwEAAZxMuH84tkVwYuPk7+QDPQuq9 ;{id = 14358 (zsk), size = 1024b}
us.     518400  IN      DNSKEY  256 3 5 AwEAAZ6LjDKPJisyM730QN6miz2cQCW ;{id = 28350 (zsk), size = 1024b}
us.     518400  IN      DNSKEY  257 3 5 AwEAAatM9tlDcd8gpSq+Wlksu;{id = 55408 (ksk), size = 2048b}
[T] Existence denied: 0-000.us. A
;;[S] self sig OK; [B] bogus; [T] trusted

The signatures look fine, but for some reason they do not appear in the output for my first test above. This results in an error (RR count less than 1). Is it the case of the label (upper for NSEC, lower for its RRSIG) that is causing the issue for drill? I’ve flicked through the code going backwards from the error message but only got as far as ldns_verify() before my poor c skills failed me.
Am I missing an obvious DNSSEC error that I can’t see?

Kal

More information about the ldns-users mailing list