zonemaster-engine
zonemaster-engine copied to clipboard
zonemaster
False error in DNSSEC10 on a zone with a wildcard below apex
When testing personeelsrecht.nu an error is reported in DNSSEC10, but the error does not match the behavior of the zone. The implementation should not returned DS10_MISSING_NSEC_NSEC3 in this case.
There is another issue on DNSSEC10, but on the specification (https://github.com/zonemaster/zonemaster/issues/1153). They are related in so far as the both hit zones with wildcard below apex.
This issue should wait for the specification to be adjusted.
$ zonemaster-cli --show-testcase --test dnssec/dnssec10 personeelsrecht.nu
Seconds Level Testcase Message
======= ======== ============== =======
4.67 ERROR DNSSEC10 NSEC or NSEC3 is expected but is missing. Fetched from the nameservers with IP addresses "13.248.156.209;188.212.124.37;192.99.182.47;2607:5300:201:3100::1670;2a05:d018:c40:8e01:7cab:9b94:f853:3736;2a0c:b9c0:f:44c3::1".
$ zonemaster-cli --show-testcase --test dnssec/dnssec10 personeelsrecht.nu --raw
4.50 ERROR DNSSEC10 DS10_MISSING_NSEC_NSEC3 ns_ip_list=188.212.124.37;192.99.182.47;2607:5300:201:3100::1670;2a05:d018:c40:8e01:7cab:9b94:f853:3736;2a0c:b9c0:f:44c3::1
personeelsrecht.nu has a wildcard below apex:
; <<>> DiG 9.10.6 <<>> *.personeelsrecht.nu +dnssec +mult
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9223
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 3072
;; QUESTION SECTION:
;*.personeelsrecht.nu. IN A
;; ANSWER SECTION:
*.personeelsrecht.nu. 784 IN A 185.103.16.152
*.personeelsrecht.nu. 784 IN RRSIG A 13 2 901 (
20230720000000 20230629000000 540 personeelsrecht.nu.
f60CsPSOOPUhoaHx50iqHiubYqClt23e8tZx0xVSvdHV
ymuAaAD6h5o3uikmGH+/Dz4QImruIafeJpZNdGfFDQ== )
;; AUTHORITY SECTION:
j2vf88arbbu8dhktpodbdm2bmrhcvbc8.personeelsrecht.nu. 784 IN NSEC3 1 0 10 C0FFEE (
3IP1IA6ACI7506U9P09EMPAG3PI70O0C
A NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM )
j2vf88arbbu8dhktpodbdm2bmrhcvbc8.personeelsrecht.nu. 784 IN RRSIG NSEC3 13 3 901 (
20230720000000 20230629000000 540 personeelsrecht.nu.
NPMzWYrTQQNjkAdr6CAyiHLcue/XT/Gs0+iXuukt67Is
3nLAI3U1FTtMJTgkQn1GI+nkCL75n6NGWtUj4vDH7w== )
;; Query time: 56 msec
;; SERVER: 10.30.7.2#53(10.30.7.2)
;; WHEN: Mon Jul 10 14:49:47 CEST 2023
;; MSG SIZE rcvd: 376
When testing a non-existing domain, the following is returned, which is the query that zonemaster sends. Note that an NSEC3 record is included in the authority section.
; <<>> DiG 9.10.6 <<>> xx--oplk4f3fgh9lksdfhu7h--xx.personeelsrecht.nu +dnssec +mult
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51278
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 3072
;; QUESTION SECTION:
;xx--oplk4f3fgh9lksdfhu7h--xx.personeelsrecht.nu. IN A
;; ANSWER SECTION:
xx--oplk4f3fgh9lksdfhu7h--xx.personeelsrecht.nu. 901 IN A 185.103.16.152
xx--oplk4f3fgh9lksdfhu7h--xx.personeelsrecht.nu. 901 IN RRSIG A 13 2 901 (
20230720000000 20230629000000 540 personeelsrecht.nu.
f60CsPSOOPUhoaHx50iqHiubYqClt23e8tZx0xVSvdHV
ymuAaAD6h5o3uikmGH+/Dz4QImruIafeJpZNdGfFDQ== )
;; AUTHORITY SECTION:
3ip1ia6aci7506u9p09empag3pi70o0c.personeelsrecht.nu. 901 IN NSEC3 1 0 10 C0FFEE (
J2VF88ARBBU8DHKTPODBDM2BMRHCVBC8
A RRSIG )
3ip1ia6aci7506u9p09empag3pi70o0c.personeelsrecht.nu. 901 IN RRSIG NSEC3 13 3 901 (
20230720000000 20230629000000 540 personeelsrecht.nu.
y9yvBckFWBDDs7Fl/xov4ssqhfEX1WY3lJUTTUGUD0tb
7qQfG0GwoLfAcDWQVPI7PfK2BhISxvNEOFW1krb1pw== )
;; Query time: 323 msec
;; SERVER: 10.30.7.2#53(10.30.7.2)
;; WHEN: Mon Jul 10 15:24:00 CEST 2023
;; MSG SIZE rcvd: 402
DNSviz sees no issue with the zone:
