Admin message

Self sign-up has been disabled due to increased spam activity. If you want to get access, please send an email to a project owner (preferred) or at gitlab(at)nic(dot)cz. We apologize for the inconvenience.

DNSSEC failure on insecure subzone
Reported on [knot-resolver-users](https://lists.nic.cz/pipermail/knot-resolver-users/2021/000396.html) by Matthew Richardson Attempting to resolve `213-133-203-34.newtel.in-addr.itconsult.net. PTR` ends up with a DNSSEC failure, even tough the record itself is in an insecure subzone. > The zone cut is between itconsult.net & newtel.in-addr.itconsult.net. > Also whilst itconsult.net is DNSSEC signed, newtel.in-addr.itconsult.net is > not. Thus, in-addr.itconsult.net is an empty non-terminal. > > If one asks for NS for newtel.in-addr.itconsult.net, thereafter resolution > of the PTR then succeeds ``` [plan ][00000.00] plan '213-133-203-34.newtel.in-addr.itconsult.net.' type 'PTR' uid [51359.00] [iterat][51359.00] '213-133-203-34.newtel.in-addr.itconsult.net.' type 'PTR' new uid was assigned .01, parent uid .00 [cache ][51359.01] => skipping exact RR: rank 027 (min. 030), new TTL 43131 [cache ][51359.01] => trying zone: itconsult.net., NSEC3, hash c75d4f37 [cache ][51359.01] => NSEC3 depth 3: hash uabfrhboj2pe1qnmfscd0adr77hqoirb [cache ][51359.01] => NSEC3 encloser error for 213-133-203-34.newtel.in-addr.itconsult.net.: range search miss (!covers) [cache ][51359.01] => NSEC3 depth 2: hash 7kdfmdhll7ee02vprj1oivl33lg5r7vu [cache ][51359.01] => NSEC3 encloser error for newtel.in-addr.itconsult.net.: range search miss (!covers) [cache ][51359.01] => NSEC3 depth 1: hash 4je672clu0jh2pbkm6mdj2n4ps7e9t2h [cache ][51359.01] => NSEC3 encloser: only found existence of an ancestor [cache ][51359.01] => skipping zone: itconsult.net., NSEC, hash 0;new TTL -123456789, ret -2 [zoncut][51359.01] found cut: itconsult.net. (rank 002 return codes: DS 0, DNSKEY 0) [select][51359.01] => id: '47786' choosing: 'd.itconsult-dns.co.uk.'@'2001:67c:10b8::100#00053' with timeout 400 ms zone cut: 'itconsult.net.' [resolv][51359.01] => id: '47786' querying: 'd.itconsult-dns.co.uk.'@'2001:67c:10b8::100#00053' zone cut: 'itconsult.net.' qname: 'iN-ADDR.iTConSult.neT.' qtype: 'NS' proto: 'udp' [select][51359.01] NO6: timeouted, appended, timeouts 5/6 [select][51359.01] => id: '47786' noting selection error: 'd.itconsult-dns.co.uk.'@'2001:67c:10b8::100#00053' zone cut: 'itconsult.net.' error: 1 QUERY_TIMEOUT [iterat][51359.01] '213-133-203-34.newtel.in-addr.itconsult.net.' type 'PTR' new uid was assigned .02, parent uid .00 [select][51359.02] => id: '56910' choosing: 'd.itconsult-dns.co.uk.'@'176.97.158.100#00053' with timeout 38 ms zone cut: 'itconsult.net.' [resolv][51359.02] => id: '56910' querying: 'd.itconsult-dns.co.uk.'@'176.97.158.100#00053' zone cut: 'itconsult.net.' qname: 'in-aDdR.itCONsuLt.neT.' qtype: 'NS' proto: 'udp' [select][51359.02] => id: '56910' updating: 'd.itconsult-dns.co.uk.'@'176.97.158.100#00053' zone cut: 'itconsult.net.' with rtt 18 to srtt: 18 and variance: 4 [iterat][51359.02] <= rcode: NOERROR [iterat][51359.02] <= retrying with non-minimized name [iterat][51359.02] '213-133-203-34.newtel.in-addr.itconsult.net.' type 'PTR' new uid was assigned .03, parent uid .00 [select][51359.03] => id: '18773' choosing: 'd.itconsult-dns.co.uk.'@'176.97.158.100#00053' with timeout 38 ms zone cut: 'itconsult.net.' [resolv][51359.03] => id: '18773' querying: 'd.itconsult-dns.co.uk.'@'176.97.158.100#00053' zone cut: 'itconsult.net.' qname: '213-133-203-34.nEWtEL.IN-AdDr.ITcONsuLt.NEt.' qtype: 'PTR' proto: 'udp' [select][51359.03] => id: '18773' updating: 'd.itconsult-dns.co.uk.'@'176.97.158.100#00053' zone cut: 'itconsult.net.' with rtt 16 to srtt: 18 and variance: 4 [iterat][51359.03] <= rcode: NOERROR [valdtr][51359.03] >< cut changed, needs revalidation [resolv][51359.03] => resuming yielded answer [valdtr][51359.03] >< no valid RRSIGs found: 213-133-203-34.newtel.in-addr.itconsult.net. PTR (0 matching RRSIGs, 0 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC) [plan ][51359.03] plan 'in-addr.itconsult.net.' type 'DS' uid [51359.04] [iterat][51359.04] 'in-addr.itconsult.net.' type 'DS' new uid was assigned .05, parent uid .03 [cache ][51359.05] => trying zone: itconsult.net., NSEC3, hash c75d4f37 [cache ][51359.05] => NSEC3 depth 1: hash 4je672clu0jh2pbkm6mdj2n4ps7e9t2h [cache ][51359.05] => NSEC3 sname: match proved NODATA, new TTL 43131 [iterat][51359.05] <= rcode: NOERROR [valdtr][51359.05] <= parent: updating DS [valdtr][51359.05] <= answer valid, OK [resolv][51359.03] => resuming yielded answer [valdtr][51359.03] >< no valid RRSIGs found: 213-133-203-34.newtel.in-addr.itconsult.net. PTR (0 matching RRSIGs, 0 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC) [plan ][51359.03] plan 'in-addr.itconsult.net.' type 'DS' uid [51359.06] [iterat][51359.06] 'in-addr.itconsult.net.' type 'DS' new uid was assigned .07, parent uid .03 [cache ][51359.07] => trying zone: itconsult.net., NSEC3, hash c75d4f37 [cache ][51359.07] => NSEC3 depth 1: hash 4je672clu0jh2pbkm6mdj2n4ps7e9t2h [cache ][51359.07] => NSEC3 sname: match proved NODATA, new TTL 43131 [iterat][51359.07] <= rcode: NOERROR [valdtr][51359.07] <= parent: updating DS [valdtr][51359.07] <= answer valid, OK [resolv][51359.03] => resuming yielded answer [valdtr][51359.03] >< no valid RRSIGs found: 213-133-203-34.newtel.in-addr.itconsult.net. PTR (0 matching RRSIGs, 0 expired, 0 not yet valid, 0 invalid signer, 0 invalid label count, 0 invalid key, 0 invalid crypto, 0 invalid NSEC) [valdtr][51359.03] <= continuous revalidation, fails [cache ][51359.03] => not overwriting PTR 213-133-203-34.newtel.in-addr.itconsult.net. [cache ][51359.03] => not overwriting PTR 213-133-203-34.newtel.in-addr.itconsult.net. [dnssec] validation failure: 213-133-203-34.newtel.in-addr.itconsult.net. PTR [resolv][51359.00] request failed, answering with empty SERVFAIL [resolv][51359.03] finished in state: 8, queries: 2, mempool: 32800 B ```
issue