Spurious "TYPE65534" at the end of a NSEC3, why?
Stephane Bortzmeyer
bortzmeyer at nic.fr
Sun Feb 13 10:07:31 UTC 2011
Here is a master server BIND 9.7.1-P2 (with patches for PKCS#11 and
the AEP keyper HSM), with DNSSEC enabled, dynamically signing
records. Most of the time, the typical NSEC3 looks like ('dig +dnssec
@a.nic.fr A www.toto.fr' if you want to see it):
meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400 IN NSEC3 1 1 1 BADFE11A O5SMCS6CUNUQC5RFJ6S94TGGRFH1TVC7 NS SOA TXT NAPTR RRSIG DNSKEY NSEC3PARAM
The list of NS records is sound. But from time to time, we see BIND
producing strange NSEC3 records like:
meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400 IN NSEC3 1 1 1 BADFE11A O5SMCS6CUNUQC5RFJ6S94TGGRFH1TVC7 NS SOA TXT NAPTR RRSIG DNSKEY NSEC3PARAM TYPE65534
Note the TYPE65534, which I cannot explain. Greping bind-users
archives, or googling, reveal that other persons saw them but I did
not find a final explanation.
When this happens, the signature:
meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400 IN RRSIG NSEC3 8 2 5400 20110408081500 20110207081500 2331 fr. OFDRwZAgzDT1y8fTJ1XCfHlajEAHzqk2dsJaCR1TSednnBSEkctIUP6AsZuD+EOZtEPCM2Oe3cI/fG2GfA1nAUDaS1INN3I6YRpB3n2/oCfKBvs68fvCexBOIgz+oc74VrPvjDtPkVyGbJ5ImSlwu8Uc8rTXKh47CdS0AdJLmso=
is flagged as invalid by a BIND ('meqimi6fje5ni47pjahv5qigu1lv3jlj.fr
NSEC3: no valid signature found') or an Unbound resolver ('debug:
verify: signature mismatch'). I fancy that the spurious TYPE65534 may have
been added after the signing.
The problem occurred twice
<http://operations.afnic.fr/en/2011/02/12/dnssec-validating-resolving-issue.html>
and, at least in the second case, it was when updating a DNSKEY record
(an old ZSK was retired).
More information about the bind-users
mailing list