Skip to content

DNSSEC validation failing for NSEC signed zone with deeper wildcard

When testing on the zones linked below (in local knotd), and when asked for dig @127.0.0.1 -p 53 A shit.wildc.nsec.test.knot-resolver.cz +dnssec Resolver ends up servfailing because it can't validate proof of non-existence of wildc.nsec.test.knot-resolver.cz. DS record:

[44720.12][resl]     => id: '36540' querying: '127.0.0.1#05353' score: 21 zone cut: 'nsec.test.knot-resolver.cz.' qname: 'wilDC.nSEc.teSt.KnOT-REsolVER.cz.' qtype: 'DS' proto: 'udp'
[44720.12][iter]     <= answer received: 
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 36540
;; Flags: qr aa rd  QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused

;; QUESTION SECTION
wildc.nsec.test.knot-resolver.cz.		DS

;; AUTHORITY SECTION
nsec.test.knot-resolver.cz.	3600	SOA	dns1.example.com. hostmaster.example.com. 2010111238 21600 3600 604800 86400
*.wild.nsec.test.knot-resolver.cz. 86400	NSEC	*.wildc.nsec.test.knot-resolver.cz. A RRSIG NSEC
*.wildc.nsec.test.knot-resolver.cz. 86400	NSEC	nsec.test.knot-resolver.cz. CNAME RRSIG NSEC
nsec.test.knot-resolver.cz.	3600	RRSIG	SOA 13 4 3600 20370101153211 20190118140211 25023 nsec.test.knot-resolver.cz. YlGILkcuX6EpClR9YBmNZP/2G6UaCWLFB2LxLMfU40h+qARSMwsaaRrBPt9mO7kMS1e6r/vG9muP/tkgIPmEJA==
*.wild.nsec.test.knot-resolver.cz. 86400	RRSIG	NSEC 13 5 86400 20370101153211 20190118140211 25023 nsec.test.knot-resolver.cz. HnNsj0OoA82ltnf+iFEdyvUqpw/3DSkeZCGGKKCbvvP0ENgT6jeRP8euL19WBVvloPTb8LUMQWb9FhgauuRtmg==
*.wildc.nsec.test.knot-resolver.cz. 86400	RRSIG	NSEC 13 5 86400 20370101153211 20190118140211 25023 nsec.test.knot-resolver.cz. rbFDZXGXSY1J4wWzeIN+EqnKCjr6ZsA/9lZV/yy5ILzi9K2z4IxIp09uKS2qasK/nVuWAdqonFgLteCLuUew6g==

[44720.12][iter]     <= rcode: NOERROR
[44720.12][vldr]     <= bad NODATA proof
[44720.12][cach]     => stashed nsec.test.knot-resolver.cz. SOA, rank 020, 190 B total, incl. 1 RRSIGs
[44720.12][cach]     => stashed packet: rank 025, TTL 1, DS wildc.nsec.test.knot-resolver.cz. (615 B)
[44720.12][resl]     finished: 8, queries: 3, mempool: 32800 B

When asked for the respective record in the NSEC3 signed zone Resolver validates with no problem.

Bellow I link all three zonefiles as well as the configurations of both kresd and knotd I used.

kresd.log

kresd.conf

knotd.conf

test.knot-resolver.cz.zone

nsec.test.knot-resolver.cz.zone

nsec3.test.knot-resolver.cz.zone

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information