Incomplete NXDOMAIN proofs with QTYPE=DS

When asking for DS, in some cases the NXDOMAIN proof is missing one NSEC3 record, so the result can’t be validated. I tried sending queries to the auths and that seemed OK (but even if it weren’t, your validator should’ve stopped them).

Bad example:

$ kdig +dnssec @1.1.1.1 foobar1.com DS
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 29994
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; foobar1.com.                 IN      DS

;; AUTHORITY SECTION:
com.                    900     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com. 1592507371 1800 900 604800 86400
com.                    900     IN      RRSIG   SOA 8 1 900 20200625190931 20200618175931 39844 com. L1XJi57ho79cr14xAHYmwwT4Fy5EXu0CLvJ2J+xACZERglv1N17daZtoM2cvrIoJ+o8h7Dr0VrYWD65Nr364h8SPQwDErJItvTxcu9dirIDXxu1qH/3A19r7PcAR/385+oceIrqyfn1sl1pWRZyWeFqFqdhCSwl5KXNOWhAoZRozMqWppLaw6anY8ggmbn/OWNYTB00iJoOuLo2e6jxFmg==
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400     IN      NSEC3   1 1 0 - ck0q1gin43n1arrc9osm6qpqr81h5m9a NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400     IN      RRSIG   NSEC3 8 2 86400 20200622045046 20200615034046 39844 com. OLPgfhLK4QA/xRT8LcZWDUnZUYCo5ZtY8/AHtz/LrhFFcPfOEWwrmKWyp+pOgcRoNimQKfv6Ty6t99PU53X4Yr1QsUPq6h44RyWrLnr2/KXv6ezAKSgor/z4SmHmJH+GjbcPIBLr320tcl/LCDzVaLW6BKf9T0ABvEnRasE4B6a/MU3kyV8nQSOIrrI8+lCPYl+SabU71WuyafcLTmrUMA==
AIA0LF6ELSDTDVPURTP9IPH3EO1E3B3L.com. 86400     IN      NSEC3   1 1 0 - aia15s229oap6kelvoe9rmp8b6vm5v62 NS DS RRSIG
AIA0LF6ELSDTDVPURTP9IPH3EO1E3B3L.com. 86400     IN      RRSIG   NSEC3 8 2 86400 20200625054846 20200618043846 39844 com. c2iELrL9CfK7tXUoZfU1o5YTZYUPHnU5GgNfJlrRDtEoualqi7kCF0sLoRb3ptlWXuVDLg4HDtntIuQZZGdAnwww3/PihQZokGm6tM6lkOVxGvOECBOZjQvShh37/2f/dkQhI9p3gVe7chIgG5KwkTdT4GEKx1Y7+3pJUXT+CLxRqsHGAMlIqbKoXgjn+b6BzGsuBuDz+adq8SwVGFEhdA==

;; Received 860 B
;; Time 2020-06-18 21:09:55 CEST
;; From [email protected](UDP) in 32.6 ms

Now if I change QTYPE, the proof is now correct (it’s NXDOMAIN, so the proof would be the same):

$ kdig +dnssec @1.1.1.1 foobar1.com
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 61223
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 8; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; foobar1.com.                 IN      A

;; AUTHORITY SECTION:
com.                    900     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com. 1592507386 1800 900 604800 86400
com.                    900     IN      RRSIG   SOA 8 1 900 20200625190946 20200618175946 39844 com. ZfsO24v4EzrP/KTU1ALxyNMc+WXNU8GZ0VFKw3xp48E/Th30PgLhjv5RBnBFJbW5HOpi+/Ms+D3MsclftHd5XM8exFzamv4cODA0IQdFGwwmihKVXz8vzoAx6ehxQxml1GnU7SEYkjACfDhGICJMV92SmVr9hQI9WUPmjJpd08jJKU3eUzJVbG4PIAm6HIrqfdl2lUXRUm8HhlcEegE4vw==
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400     IN      NSEC3   1 1 0 - ck0q1gin43n1arrc9osm6qpqr81h5m9a NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400     IN      RRSIG   NSEC3 8 2 86400 20200622045046 20200615034046 39844 com. OLPgfhLK4QA/xRT8LcZWDUnZUYCo5ZtY8/AHtz/LrhFFcPfOEWwrmKWyp+pOgcRoNimQKfv6Ty6t99PU53X4Yr1QsUPq6h44RyWrLnr2/KXv6ezAKSgor/z4SmHmJH+GjbcPIBLr320tcl/LCDzVaLW6BKf9T0ABvEnRasE4B6a/MU3kyV8nQSOIrrI8+lCPYl+SabU71WuyafcLTmrUMA==
AIA0LF6ELSDTDVPURTP9IPH3EO1E3B3L.com. 86400     IN      NSEC3   1 1 0 - aia15s229oap6kelvoe9rmp8b6vm5v62 NS DS RRSIG
AIA0LF6ELSDTDVPURTP9IPH3EO1E3B3L.com. 86400     IN      RRSIG   NSEC3 8 2 86400 20200625054846 20200618043846 39844 com. c2iELrL9CfK7tXUoZfU1o5YTZYUPHnU5GgNfJlrRDtEoualqi7kCF0sLoRb3ptlWXuVDLg4HDtntIuQZZGdAnwww3/PihQZokGm6tM6lkOVxGvOECBOZjQvShh37/2f/dkQhI9p3gVe7chIgG5KwkTdT4GEKx1Y7+3pJUXT+CLxRqsHGAMlIqbKoXgjn+b6BzGsuBuDz+adq8SwVGFEhdA==
3RL2Q58205687C8I9KC9MV46DGHCNS45.com. 86400     IN      NSEC3   1 1 0 - 3rl3odp8d910939i655b97gaqu6ve1q7 NS DS RRSIG
3RL2Q58205687C8I9KC9MV46DGHCNS45.com. 86400     IN      RRSIG   NSEC3 8 2 86400 20200625053627 20200618042627 39844 com. r2NopSNaDpArB5aClsjS3KJss/BXfGjI6v2aMTde+kIzPo78yPYcD6IcqJEHih71fvYpMivrILO1Yl1x4C4A0bJWyl2CHWrpj/T0WPA+YUtR+P5mThn93N45aKXXTkPuMAr51a9+HMSrcQQtHJA9FLzdi0bTdRTpGdgZ3b3D1V/+SO3A31/vtSpnaeYP9hiqMgMP/kNcGk4lbuyV7RcLwQ==

;; Received 1134 B
;; Time 2020-06-18 21:09:58 CEST
;; From [email protected](UDP) in 29.6 ms

Thanks, I’ll take a look!

This should be fixed by now

2 Likes