tobez
"A record from a delegated zone" policy check
Via Daniel Stirnimann:
$TTL 1d
$INCLUDE Kexample.com.+008+18169.key
$INCLUDE Kexample.com.+008+57699.key
@ IN SOA ns.example.com. hostmaster.example.com. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
IN NS ns1.example.net.
sub IN NS ns1.example.net.
test.sub IN A 127.0.0.1
The error is that there exists the "test.sub" record but "sub" is already delegated.
BIND "dnssec-signzone" ignores "test.sub" and does not create RRSIG/NSEC/NSEC3 records.
When I verify the signed zone (using NSEC) with validns, no error is shown.
When I verify the signed zone (using NSEC3) with validns, the error: "no corresponding NSEC3 found for test.sub.example.com." is shown which is correct.
I'm not sure what's the right way of handling this error is. In any case, I think the error message should be the same whether NSEC or NSEC3 is used. Practically, I could live with a WARNING and not an ERROR because, as far as BIND dnssec-signzone goes, the additional record of the delegated zone is not signed, so does not lead to a signing error. However, I'm not sure if other DNSSEC signing tools handle this the same way.
Validns is wrong producing an error for NSEC3.
An acceptable way of reporting this would be to report an "Unused glue record" or a "Record from a delegated zone", optionally, activated via yet another policy check. Do you concur?
The only thing I need to check is what dnssec-signzone does for/what RFCs say about real glue records such as
sub IN NS ns1.sub
ns1.sub IN A 1.2.3.4
Mostly solved by commit fddc43cbf6b5ff30cf19ccb626f289108ce22908.
Still need to add the policy check.