[nsd-users] wildcard+ANY validation issue between NSD and Unbound

Peter van Dijk peter.van.dijk at netherlabs.nl
Fri Feb 24 13:35:24 UTC 2012 

Hello,

On Feb 24, 2012, at 13:12 , Peter van Dijk wrote:

> The difference appears to be that in the ANY case, BIND adds:
> www.something.wtest.com.	86400	IN	NSEC	wtest.com. A RRSIG NSEC 
> www.something.wtest.com.	86400	IN	RRSIG	NSEC 5 3 86400  ….
> 
> but as far as I can see, this offers no information not already offered by:
> *.something.wtest.com.	86400	IN	NSEC	wtest.com. A RRSIG NSEC 
> *.something.wtest.com.	86400	IN	RRSIG	NSEC 5 3 86400 …

This is not the difference that matters. The issue is that NSD puts '*.something.wtest.com NSEC' in the answer section instead of the authority section.

According to unbound (and according to my reading of RFC4035), this is okay:

;; QUESTION SECTION:
;www.something.wtest.com.	IN	 ANY

;; ANSWER SECTION:
www.something.wtest.com.	3600	IN	A	4.3.2.1
www.something.wtest.com.	3600	IN	RRSIG	A 8 3 3600 20120308000000 20120223000000 33955 wtest.com. Cdgl41CONlwN91fMiQV6D1T2/ZaQPArjswqIR5FSnNAdTcfLuADAYJrXmBwdTTtQhfJASkZRidjfdtJOYrCgJC3d1KpeqJWnIf2mLIZtiGVkz9DxoMlXcb8O0U9moOSvPRzoWKyspQrvp6+qIM5BwqifrqbsrzSWTr4PFQehiaA=

;; AUTHORITY SECTION:
*.something.wtest.com.	3600	IN	NSEC	wtest.com. A RRSIG NSEC
*.something.wtest.com.	3600	IN	RRSIG	NSEC 8 3 3600 20120308000000 20120223000000 33955 wtest.com. BEa33+lxqfRaPw5GsM6g9TwRGcVsgA/t4oK0WMZ/sikQllvOKNfZLvbdJwTN1/yQzYhrl+xqYWuQCvMHEYCztEo9/z29sPxC/4DQrWhFmPVln1kgAPNdNIO50O8KzynbwMRq5WflvlFMrgh3B65l4I0otoqOuh9UUVYF2fGlKf4=


While this (from NSD) is not:

;; QUESTION SECTION:
;www.something.wtest.com.	IN	 ANY

;; ANSWER SECTION:
*.something.wtest.com.	86400	IN	NSEC	wtest.com. A RRSIG NSEC
*.something.wtest.com.	86400	IN	RRSIG	NSEC 5 3 86400 20120323092532 20120224092532 61140 wtest.com. YYV4+Bv6N2VATWSx7RhOJV0PkZuvxwWLk88lU5hXVcJNvqyKkGGlJQXpy19L8ftUZJN+p5nzc+lypH06LFQAmQ==
www.something.wtest.com.	3600	IN	A	4.3.2.1
www.something.wtest.com.	3600	IN	RRSIG	A 5 3 3600 20120323092532 20120224092532 61140 wtest.com. N0nNjNk2wWpgw8MsSJkWi91L4iAZa3L6bJle4jZ7eSzybTvbmNP5X83db8bxNSErjvACC+QLbMcxg3LICb+msQ==

;; AUTHORITY SECTION:
wtest.com.	3600	IN	NS	ns1.wtest.com.
wtest.com.	3600	IN	RRSIG	NS 5 2 3600 20120323092532 20120224092532 61140 wtest.com. mIQi6S7OjXL+InBCcUIbHD2Kodt31FN2k7o4jdnHu7l0iTs58TjbiqJoL0DwZBk85NnRD/cLDrARD5X39nq5Qw==

;; ADDITIONAL SECTION:
ns1.wtest.com.	3600	IN	A	1.2.3.4
ns1.wtest.com.	3600	IN	RRSIG	A 5 3 3600 20120323092532 20120224092532 61140 wtest.com. wO/knqEUrzk2RU4P+MRKAyk0yOmDaidYLYdT64DbmxcZmpU54tanw6rjoNpcMlHnWR/1IVw6/kozTGuTNnD6Yg==

Kind regards,
Peter van Dijk

More information about the nsd-users mailing list