Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 572
    • Issues 572
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 110
    • Merge requests 110
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Issues
  • #742
Closed
Open
Issue created Nov 27, 2018 by Cathy Almond@cathyaDeveloper

[ISC-support #13767] NSEC3 typemap improperly includes DNSKEY RRset instead of ignoring it as out-of-zone

Summary

During an in-depth validation of a DNSSEC-signed zone (using NSEC3), it was uncovered that there was an inconsistency that not all zone validation tools highlighted.

Due to an administrative error, a delegated zone had inserted both its DS and KSK DNSKEY RRs into the parent zone. The NSEC3 RR covering those included DNSKEY in the typemap, even though the DNSKEY RR should be occluded by the delegation and ignored. (We don't know if named also signed the out-of-zone RRset, but this should be checked for also as a potential extension to this defect).

We do not believe that this defect causes validation failures in DNSSEC-validating resolvers.

BIND version used

9.11.4-P2

What is the current bug behavior?

As identified by jdnssec-verifyzone:

$ jdnssec-verifyzone -v 2 (zone redacted for privacy) WARNING: Typemap for NSEC3 RR (name redacted for privacy) for (zone redacted for privacy) did not match what was expected. Expected 'NS DS RRSIG', got 'NS DS RRSIG DNSKEY' zone did not verify.

(Note that neither dnssec-verify nor validns perceived this as wrong)

What is the expected correct behavior?

The covering NSEC3 should not have included the DNSKEY RR in the typemap

Reported in Support ticket https://support.isc.org/Ticket/Display.html?id=13767

Edited Dec 07, 2018 by Support RT
Assignee
Assign to
Time tracking