Skip to content

duplicate NSEC records in the response

Knot includes duplicate NSEC records in the response, while it should not.

https://tools.ietf.org/html/rfc4035#section-3.1.3.2

   In some cases, a single NSEC RR may prove both of these points.  If
   it does, the name server SHOULD only include the NSEC RR and its
   RRSIG RR(s) once in the Authority section.

zone:

;; Zone dump (Knot DNS 1.99.1)
nsec.               	3600	IN	SOA	ns.nsec. devnull.nsec. 2 60 60 2419200 3600
nsec.               	3600	NS	ns.nsec.
nsec.               	3600	A	127.0.0.1
ns.nsec.            	3600	A	127.0.0.1
*.wc.nsec.          	3600	A	0.0.0.0
*.wc.nsec.          	3600	TXT	"wc match"
hit.wc.nsec.        	3600	A	1.1.1.1
hit.wc.nsec.        	3600	TXT	"no wc"

kdig (wildcard match response):

% kdig @::1 -p 53000 +dnssec SOA foo.wc.nsec.      
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 20217
;; Flags: qr aa rd; QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused

;; QUESTION SECTION:
;; foo.wc.nsec.        		IN	SOA

;; AUTHORITY SECTION:
nsec.               	3600	IN	SOA	ns.nsec. devnull.nsec. 2 60 60 2419200 3600
*.wc.nsec.          	3600	IN	NSEC	hit.wc.nsec. A TXT RRSIG NSEC
*.wc.nsec.          	3600	IN	NSEC	hit.wc.nsec. A TXT RRSIG NSEC
nsec.               	3600	IN	RRSIG	SOA 13 1 3600 20150326155808 20150224155808 19581 nsec. WSumTkGiEdbavC1B3E0w4foIFRvT7ttBKxIbe0YWtLrkUIwqDiBI9HUwSzQh/JjMubQGlWp4p+NbPl2sxipRTg==
*.wc.nsec.          	3600	IN	RRSIG	NSEC 13 2 3600 20150326155808 20150224155808 19581 nsec. MpDdYn7LClVx+Ju8kQN8HFmh6kvFlkp6PVraCrePPFwv5HR9FaJYqncsNpF3m3zDrNLR5+DF62PGtTx7NSQGZg==
*.wc.nsec.          	3600	IN	RRSIG	NSEC 13 2 3600 20150326155808 20150224155808 19581 nsec. MpDdYn7LClVx+Ju8kQN8HFmh6kvFlkp6PVraCrePPFwv5HR9FaJYqncsNpF3m3zDrNLR5+DF62PGtTx7NSQGZg==

;; Received 457 B
;; Time 2015-02-24 17:03:29 CET
;; From ::1@53000(UDP) in 0.0 m