Spurious "TYPE65534" at the end of a NSEC3, why?

Stephane Bortzmeyer bortzmeyer at nic.fr
Sun Feb 13 13:36:05 UTC 2011 

On Sun, Feb 13, 2011 at 11:07:31AM +0100,
 Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote 
 a message of 35 lines which said:

> is flagged as invalid by a BIND ('meqimi6fje5ni47pjahv5qigu1lv3jlj.fr
> NSEC3: no valid signature found') or an Unbound resolver ('debug:
> verify: signature mismatch'). I fancy that the spurious TYPE65534 may have
> been added after the signing.

I managed, by a lot of copy-and-paste from kept dig answers, to
reproduce the problem. Tests have been done with
<http://www.verisignlabs.com/dnssec-tools/>. When I use the NSEC3 with
TYPE65534, I get:

WARNING: Signature failed to verify RRset:
  rr:  meqimi6fje5ni47pjahv5qigu1lv3jlj.fr.     5400    IN      NSEC3
  1 1 1 BADFE11A O5SMCS6CUNUQC5RFJ6S94TGGRFH1TVC7 NS SOA TXT NAPTR
  RRSIG DNSKEY NSEC3PARAM TYPE65534

  sig: meqimi6fje5ni47pjahv5qigu1lv3jlj.fr.     5400    IN      RRSIG
  NSEC3 8 2 5400 20110408081500 20110207081500 2331
  fr. OFDRwZAgzDT1y8fTJ1XCfHlajEAHzqk2dsJaCR1TSednnBSEkctIUP6AsZuD+EOZtEPCM2Oe3cI/fG2GfA1nAUDaS1INN3I6YRpB3n2/oCfKBvs68fvCexBOIgz+oc74VrPvjDtPkVyGbJ5ImSlwu8Uc8rTXKh47CdS0AdJLmso=
Reason: Signature failed to verify cryptographically

If I remove by hand the TYPE65534, leaving the signature intact, the
problem disappeared.

% diff  fr-with-type65534 fr-with-type65534-removed 
4d3
< fr.                     0       IN      TYPE65534   \# 0 
25c24
< meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400 IN NSEC3 1 1 1 BADFE11A
O5SMCS6CUNUQC5RFJ6S94TGGRFH1TVC7 NS SOA TXT NAPTR RRSIG DNSKEY
NSEC3PARAM TYPE65534
---
> meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400 IN NSEC3 1 1 1 BADFE11A
> O5SMCS6CUNUQC5RFJ6S94TGGRFH1TVC7 NS SOA TXT NAPTR RRSIG DNSKEY
> NSEC3PARAM 

I also checked again that TYPE65534 is *not* served by BIND in the
normal situation, even when I dynamically update the zone and BIND
modifies the NSEC3 chain and the signatures.

So, it really seems there is a BIND bug here. I guess that the
TYPE65534 was wrongly added to the NSEC3 after it has been signed.

Many thanks to Gilles Massen for his help and ideas and solutions.

More information about the bind-users mailing list