kresd failed to validate transition to insecure zone on final name in some circumstances

Example

[    0][plan] plan 'dynamic.kabel-deutschland.de.' type 'A'
[24961][iter]   'dynamic.kabel-deutschland.de.' type 'A' id was assigned, parent id 0
[24961][cach]   => not even root NS in cache, but let's try NSEC
[24961][cach]   => trying zone: .
[24961][cach]   => NSEC sname: range search found inconsistent entry
[24961][resl]   => using root hints
[56727][iter]   'dynamic.kabel-deutschland.de.' type 'A' id was assigned, parent id 0
[56727][resl]   >< TA: '.'
[56727][plan]   plan '.' type 'DNSKEY'
[36823][iter]     '.' type 'DNSKEY' id was assigned, parent id 56727
[36823][cach]     => satisfied by exact RR or CNAME: rank 060, new TTL 172769, scope /0
[36823][iter]     <= rcode: NOERROR
[36823][vldr]     <= parent: updating DNSKEY
[36823][vldr]     <= answer valid, OK
[ 6869][iter]   'dynamic.kabel-deutschland.de.' type 'A' id was assigned, parent id 0
[ 6869][resl]   => querying: '192.203.230.10' score: 10 zone cut: '.' qname: 'de.' qtype: 'NS' proto: 'udp'
[ 6869][iter]   <= loaded 6 glue addresses
[ 6869][iter]   <= referral response, follow
[ 6869][vldr]   >< failed to validate but skipping: de. NS
[ 6869][vldr]   <= DS: OK
[ 6869][vldr]   <= answer valid, OK
[ 6869][cach]   => stashed rank: 060, DS de., scoped: 0 (330 B total, incl. 1 RRSIGs)
[ 6869][cach]   => stashed rank: 002, NS de., scoped: 0 (87 B total, incl. 0 RRSIGs)
[ 6869][cach]   => stashed also 11 nonauth RRsets
[ 6869][resl]   <= server: '192.203.230.10' rtt: 63 ms
[31577][iter]   'dynamic.kabel-deutschland.de.' type 'A' id was assigned, parent id 0
[31577][plan]   plan 'de.' type 'DNSKEY'
[14151][iter]     'de.' type 'DNSKEY' id was assigned, parent id 31577
[14151][cach]     => trying zone: de.
[14151][cach]     => NSEC sname: range search miss (!nsec_in_zone)
[14151][resl]     => querying: '194.246.96.1' score: 10 zone cut: 'de.' qname: 'De.' qtype: 'DNSKEY' proto: 'udp'
[14151][iter]     <= rcode: NOERROR
[14151][vldr]     <= parent: updating DNSKEY
[14151][vldr]     <= answer valid, OK
[14151][cach]     => stashed rank: 060, DNSKEY de., scoped: 0 (837 B total, incl. 1 RRSIGs)
[14151][resl]     <= server: '194.246.96.1' rtt: 86 ms
[47724][iter]   'dynamic.kabel-deutschland.de.' type 'A' id was assigned, parent id 0
[47724][resl]   => querying: '195.243.137.26' score: 10 zone cut: 'de.' qname: 'KaBEL-deUtSchLAnD.DE.' qtype: 'NS' proto: 'udp'
[47724][resl]   => querying: '194.146.107.6' score: 10 zone cut: 'de.' qname: 'KaBEL-deUtSchLAnD.DE.' qtype: 'NS' proto: 'udp'
[47724][iter]   <= loaded 2 glue addresses
[47724][iter]   <= referral response, follow
[47724][vldr]   >< failed to validate but skipping: kabel-deutschland.de. NS
[47724][vldr]   <= DS: OK
[47724][vldr]   <= answer valid, OK
[47724][cach]   => stashed rank: 060, DS kabel-deutschland.de., scoped: 0 (205 B total, incl. 1 RRSIGs)
[47724][cach]   => stashed rank: 002, NS kabel-deutschland.de., scoped: 0 (93 B total, incl. 0 RRSIGs)
[47724][cach]   => stashed also 4 nonauth RRsets
[47724][resl]   <= server: '195.243.137.26' rtt: 211 ms
[47724][resl]   <= server: '194.146.107.6' rtt: >= 11 ms
[26461][iter]   'dynamic.kabel-deutschland.de.' type 'A' id was assigned, parent id 0
[26461][plan]   plan 'kabel-deutschland.de.' type 'DNSKEY'
[54088][iter]     'kabel-deutschland.de.' type 'DNSKEY' id was assigned, parent id 26461
[54088][cach]     => trying zone: kabel-deutschland.de.
[54088][cach]     => NSEC sname: range search miss (!nsec_in_zone)
[54088][resl]     => querying: '83.169.185.44' score: 10 zone cut: 'kabel-deutschland.de.' qname: 'KABeL-DEuTSChlAnd.dE.' qtype: 'DNSKEY' proto: 'udp'
[54088][iter]     <= rcode: NOERROR
[54088][vldr]     <= parent: updating DNSKEY
[54088][vldr]     <= answer valid, OK
[54088][cach]     => stashed rank: 060, DNSKEY kabel-deutschland.de., scoped: 0 (191 B total, incl. 1 RRSIGs)
[54088][resl]     <= server: '83.169.185.44' rtt: 160 ms
[16973][iter]   'dynamic.kabel-deutschland.de.' type 'A' id was assigned, parent id 0
[16973][resl]   => querying: '83.169.184.44' score: 10 zone cut: 'kabel-deutschland.de.' qname: 'dynAmIc.KaBeL-dEutschland.de.' qtype: 'A' proto: 'udp'
[16973][iter]   <= rcode: NOERROR
[16973][vldr]   >< cut changed, needs revalidation
[16973][resl]   <= server: '83.169.184.44' rtt: 214 ms
[16973][resl]   => resuming yielded answer
[16973][vldr]   >< no valid RRSIGs found for dynamic.kabel-deutschland.de. A
[16973][plan]   plan 'dynamic.kabel-deutschland.de.' type 'RRSIG'
[37485][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[37485][resl]     => querying: '83.169.185.44' score: 160 zone cut: 'kabel-deutschland.de.' qname: 'dyNAmiC.KaBel-deUtsChLAND.De.' qtype: 'RRSIG' proto: 'udp'
[37485][iter]     <= rcode: NOTIMPL
[37485][vldr]     >< cut changed, needs revalidation
[37485][resl]     <= server: '83.169.185.44' rtt: 168 ms
[37485][resl]     => resuming yielded answer
[37485][vldr]     <= answer valid, OK
[61105][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[61105][resl]     => querying: '83.169.185.44' score: 164 zone cut: 'kabel-deutschland.de.' qname: 'Dynamic.kAbEl-DeuTschlAND.De.' qtype: 'RRSIG' proto: 'udp'
[61105][iter]     <= rcode: NOTIMPL
[61105][vldr]     >< cut changed, needs revalidation
[61105][resl]     => resuming yielded answer
[61105][vldr]     <= answer valid, OK
[62969][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[62969][resl]     => querying: '83.169.185.44' score: 164 zone cut: 'kabel-deutschland.de.' qname: 'dynamic.kabel-deutschland.de.' qtype: 'RRSIG' proto: 'udp'
[62969][resl]     => querying: '83.169.184.44' score: 164 zone cut: 'kabel-deutschland.de.' qname: 'dynamic.kabel-deutschland.de.' qtype: 'RRSIG' proto: 'udp'
[62969][iter]     <= rcode: NOTIMPL
[62969][resl]     => server: '83.169.185.44' flagged as 'bad'
[42862][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[42862][resl]     => querying: '83.169.184.44' score: 214 zone cut: 'kabel-deutschland.de.' qname: 'dynamic.kabel-deutschland.de.' qtype: 'RRSIG' proto: 'udp'
[42862][iter]     <= rcode: NOTIMPL
[42862][resl]     => server: '83.169.184.44' flagged as 'bad'
[55564][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[55564][resl]     => no NS with an address
[26608][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[26608][resl]     => no NS with an address
[16973][resl]   => resuming yielded answer
[16973][vldr]   >< no valid RRSIGs found for dynamic.kabel-deutschland.de. A
[16973][plan]   plan 'dynamic.kabel-deutschland.de.' type 'RRSIG'
[34094][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[34094][resl]     => querying: '83.169.185.44' score: 794 zone cut: 'kabel-deutschland.de.' qname: 'DyNamIC.KabeL-DeuTschLAnd.dE.' qtype: 'RRSIG' proto: 'udp'
[34094][iter]     <= rcode: NOTIMPL
[34094][vldr]     >< cut changed, needs revalidation
[34094][resl]     <= server: '83.169.185.44' rtt: 170 ms
[34094][resl]     => resuming yielded answer
[34094][vldr]     <= answer valid, OK
[   54][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[   54][resl]     => querying: '83.169.185.44' score: 482 zone cut: 'kabel-deutschland.de.' qname: 'DyNamIc.kAbEL-deUTscHLANd.De.' qtype: 'RRSIG' proto: 'udp'
[   54][iter]     <= rcode: NOTIMPL
[   54][vldr]     >< cut changed, needs revalidation
[   54][resl]     => resuming yielded answer
[   54][vldr]     <= answer valid, OK
[44117][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[44117][resl]     => querying: '83.169.185.44' score: 482 zone cut: 'kabel-deutschland.de.' qname: 'dynamic.kabel-deutschland.de.' qtype: 'RRSIG' proto: 'udp'
[44117][iter]     <= rcode: NOTIMPL
[44117][resl]     => server: '83.169.185.44' flagged as 'bad'
[45261][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[45261][resl]     => querying: '83.169.184.44' score: 819 zone cut: 'kabel-deutschland.de.' qname: 'dynamic.kabel-deutschland.de.' qtype: 'RRSIG' proto: 'udp'
[45261][iter]     <= rcode: NOTIMPL
[45261][resl]     => server: '83.169.184.44' flagged as 'bad'
[41859][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[41859][resl]     => no NS with an address
[35200][iter]     'dynamic.kabel-deutschland.de.' type 'RRSIG' id was assigned, parent id 16973
[35200][resl]     => no NS with an address
[16973][resl]   => resuming yielded answer
[16973][vldr]   <= continuous revalidation, fails
[16973][cach]   => stashed rank: 027, A dynamic.kabel-deutschland.de., scoped: 0 (21 B total, incl. 0 RRSIGs)
[16973][cach]   => stashed packet: rank 025, TTL 86400, A dynamic.kabel-deutschland.de. (86 B)
[16973][resl]   finished: 8, queries: 5, mempool: 49200 B

mentioned in merge request !607 (merged)

closed via commit de5bca63

closed via merge request !607 (merged)

mentioned in commit de5bca63

kresd failed to validate transition to insecure zone on final name in some circumstances

Child items

Activity

Admin message

Admin message

kresd failed to validate transition to insecure zone on final name in some circumstances

Child items

Linked items

Related merge requests

Activity