New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth: Bind fails to validate insecure delegation with NSEC enabled #1289
Comments
Unbound has no trouble with the full query and correctly concludes Insecure - but when you ask it for 0.pasilehto.fi it claims "NameError response has failed to prove: covering wildcard does not exist" |
While this smells like a bug in both Unbound and BIND, it is statistically likely to still be our fault. |
Problem seems to fix itself once non-terminals are added. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When there is a long delegation, such as (real life examples)
1.0.0.0.1.0.0.0.pasilehto.fi.
and
0.0.0.0.1.0.0.0.pasilehto.fi.
Then BIND recursor fails to validate f.ex.
5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi
or
5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.pasilehto.fi
So far tested, bind 9.9.3-P2, and 9.9.4-P2.
The validation failure is caused by bind not finding 0.pasilehto.fi
The text was updated successfully, but these errors were encountered: