auth: Bind fails to validate insecure delegation with NSEC enabled #1289
Comments
|
Unbound has no trouble with the full query and correctly concludes Insecure - but when you ask it for 0.pasilehto.fi it claims "NameError response has failed to prove: covering wildcard does not exist" |
|
While this smells like a bug in both Unbound and BIND, it is statistically likely to still be our fault. |
|
Problem seems to fix itself once non-terminals are added. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When there is a long delegation, such as (real life examples)
1.0.0.0.1.0.0.0.pasilehto.fi.
and
0.0.0.0.1.0.0.0.pasilehto.fi.
Then BIND recursor fails to validate f.ex.
5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi
or
5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.pasilehto.fi
So far tested, bind 9.9.3-P2, and 9.9.4-P2.
The validation failure is caused by bind not finding 0.pasilehto.fi
The text was updated successfully, but these errors were encountered: