"expected a exact match NSEC3, got a covering record"

Mark Andrews Mark_Andrews at isc.org
Mon May 25 00:14:47 UTC 2009 

In message <20090524194358.GA21157 at frell.ambush.de>, Hauke Lampe writes:
> Hello.
> 
> I run a NSEC3-signed zone with many dynamic updates per day where 
> mailservers add RBL records and an hourly cronjob removes old entries.
> 
> Several times a day I see queries for nonexistent names in the zone fail.
> A typical query might start like this:
> 
> | resolver: debug 1: createfetch: 17.245.207.216.spamtraps.bl.openchaos.org A
> | resolver: debug 1: createfetch: spamtraps.bl.openchaos.org DNSKEY
> | resolver: debug 1: createfetch: 216.spamtraps.bl.openchaos.org DS
> 
> The authoritative server then logs
> 
> | dnssec: warning: client 85.10.240.254#63666: view authoritative: expected a exact match NSEC
> 3, got a covering record


> the resolver complains
> 
> | lame-servers: info: no valid RRSIG resolving '216.spamtraps.bl.openchaos.org/DS/IN': 213.9.7
> 3.106#53
> | lame-servers: info: no valid DS resolving '17.245.207.216.spamtraps.bl.openchaos.org/A/IN': 
> 213.9.73.106#53
> 
> and returns SERVFAIL.
> 
> The failing names vary over time, as records are added and deleted.
> 
> A snapshot of the zone can be downloaded from 
> https://www.hauke-lampe.de/temp/spamtrapsbl-20090523.zone (although its 
> RRSIGs expire soon), that, loaded into another BIND 9 server, shows the same 
> problem as on my authoritative servers when queried for 
> 17.245.207.216.spamtraps.bl.openchaos.org. So I don't think it has to do 
> with caching of NSEC3 records as I suspected at first.

; <<>> DiG 9.6.1rc1 <<>> +dnssec 216.spamtraps.bl.openchaos.org DS @nsig3.hauke-lampe.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37840
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;216.spamtraps.bl.openchaos.org.	IN	DS

;; AUTHORITY SECTION:
spamtraps.bl.openchaos.org. 64	IN	SOA	nsig3.hauke-lampe.de. hostmaster.hauke-lampe.de. 572308 3642 7123 3600000 64
spamtraps.bl.openchaos.org. 64	IN	RRSIG	SOA 7 4 64 20090528000252 20090524230252 15572 spamtraps.bl.openchaos.org. mV3xGVACjP+AoqM2V2y9SHA14JCPA8mfMcrzjrwoV2cDbxp1eiXyQCl5 CEnxYdXTO23hDuyAWGxwuJUjUrOucWWgbUy2Qlbhkz2i/URLlC78H3iE tNizcxkJm2agt1PYvKRZ5r0xVKGGVKwCSN/QHq4dV41RTf5Wfq5zn1h8 mUk=
6L37ENRJ8BJ0PN8JQVTM4DIQI2U5O9UC.spamtraps.bl.openchaos.org. 64	IN NSEC3 1 0 100 7CE55460E7151E99FE4044321D705881FED8A602E8CD861EA89394E8814459964402E98530F8ACB5DC166E5068653D6AA8D1C7D030E753A2D545BB5C6B84B1DF 6LCAJDAMT1M3EG0P1JA8P4L1PCN2VF71
6L37ENRJ8BJ0PN8JQVTM4DIQI2U5O9UC.spamtraps.bl.openchaos.org. 64	IN RRSIG NSEC3 7 5 64 20090527232409 20090524222409 15572 spamtraps.bl.openchaos.org. l9saVQaI1UYOf0OytUrZRLswkVuM/YRCQUpxYERDovDVqaAySHMcNqIF E6bbqUZXw6jfkoQnIdXfoTpr68d3ga+LeDYg8ikh/yrmyVYxco7bv+a2 zLv8eSjnchXVeqXWhQ/OizKV/7OHPYrDp7PBazwmSvn8uX6E/NQl3AFa z38=

;; Query time: 322 msec
;; SERVER: 213.9.73.106#53(213.9.73.106)
;; WHEN: Mon May 25 10:02:58 2009
;; MSG SIZE  rcvd: 633

drugs:tests 10:03 {2703} % ./nsec3hash 7CE55460E7151E99FE4044321D705881FED8A602E8CD861EA89394E8814459964402E98530F8ACB5DC166E5068653D6AA8D1C7D030E753A2D545BB5C6B84B1DF 1 100 216.spamtraps.bl.openchaos.org
6L4MLDH19VC0EEJF4O0NQRB62ENOG4GE (salt=7CE55460E7151E99FE4044321D705881FED8A602E8CD861EA89394E8814459964402E98530F8ACB5DC166E5068653D6AA8D1C7D030E753A2D545BB5C6B84B1DF, hash=1, iterations=100)
drugs:tests 10:03 {2704} % 

The error messages matches what it being returned.  6L4MLDH19VC0EEJF4O0NQRB62ENOG4GE is 
between 6L37ENRJ8BJ0PN8JQVTM4DIQI2U5O9UC and 6LCAJDAMT1M3EG0P1JA8P4L1PCN2VF71 and there
is no OPTOUT flag bit set.

Now 216.spamtraps.bl.openchaos.org is a empty node so it is possible that you have found a bug
in the generation of the NSEC3 chain.

I would add data at 216.spamtraps.bl.openchaos.org or switch to using NSEC while this is
investigated.
 
Mark

> I have tested this with several versions of BIND 9 (9.5.1-P1, 9.6.0, 
> 9.6.1b1/rc1) on the authoritative side as well as BIND (9.5.1-P1, 9.6.1b1) 
> and Unbound 1.2.1 resolving.
> 
> What could be the cause of these failures?
> 
> 
> Hauke.
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list