Is BIND9 DNSSEC validation too strict?

[Daniel Stirnimann]

Dear all,

BIND9 (and not Unbound, PowerDNS Recursor, Google Public DNS) is failing
to validate the following non-existent domain name:

dig @184.105.193.73 ABCD._openpgpkey.posteo.de A +dnssec

; <<>> DiG 9.8.3-P1 <<>> @184.105.193.73 ABCD._openpgpkey.posteo.de A
+dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27284
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ABCD._openpgpkey.posteo.de.	IN	A

;; Query time: 3549 msec
;; SERVER: 184.105.193.73#53(184.105.193.73)
;; WHEN: Tue Oct 11 10:58:45 2016
;; MSG SIZE  rcvd: 55

The above test has been done on the DNS-OARC [1] open resolver but I get
the same result on my local BIND9.
[1] https://www.dns-oarc.net/oarc/services/odvr

I believe, the reason for the validation error for the above domain name
is because of an obsolete NSEC3 record from the authoritative name
server of _openpgpkey.posteo.de:

dig @185.67.36.41 ABCD._openpgpkey.posteo.de ANY +dnssec
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.8.3-P1 <<>> @185.67.36.41 ABCD._openpgpkey.posteo.de ANY
+dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 751
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;ABCD._openpgpkey.posteo.de.	IN	ANY

;; AUTHORITY SECTION:
_openpgpkey.posteo.de.	300	IN	SOA	ns01a.posteo-dns.de.
hostmaster.posteo.de. 1476148232 7200 1800 3542400 3600
_openpgpkey.posteo.de.	300	IN	RRSIG	SOA 8 3 300 20161020000000
20160929000000 39156 _openpgpkey.posteo.de.
mtJ6uTTodTwWtl8k7COvcXRAPBqE1X3mZHMSU7vaaXy84uAucNIAncT+
9+e9rn0CcKhG+iOe9YWXPQe3dbzv08IAd3NjvwipE6sasIqFbV3rag6K
gbYJPSXcVKL6qI+LQaIgf1hT+J+IbfwiJOFz+VH4/ydGvgOnx2fhcYHe
GJNbMtRxgzewgRvP/3wplJi9K5g4fteE0AL37Iv622XU5j0HeySVondg
WL8Qd2Q9PVzqFNo2RRft11uo4m42iwNVDoaeJW1tv17K0KtZ2YhGkvOy
1o7D0PiY16/qYimjIacHrQddQ0urO/81Hu6L3iSwDGHCQc53lh259l+u OCiIzg==
4aibkdjvtss07hsoloi1fslaf8p9uo5p._openpgpkey.posteo.de.	3600 IN	NSEC3 1
0 250 1163B90DC54B41E0 U8Q7VA83M9L20BMQQS8DMRS75CC5B6C2 NS SOA RRSIG
DNSKEY NSEC3PARAM
4aibkdjvtss07hsoloi1fslaf8p9uo5p._openpgpkey.posteo.de.	3600 IN	RRSIG
NSEC3 8 4 3600 20161020000000 20160929000000 39156
_openpgpkey.posteo.de.
liJ1qtI+iQxHNPsdtS4X7hKnRDqiXqR3Cwhhb5L0hgu1Lrlqsr2Wn0yI
Gh9R7IP5Fuq6zEG3EpiWWxGhrTbsIZFZoOxNxA6GkjjEDShUZgTQw0T8
MhtlBylcrkNr0vRSoUPMxMh7iAYaldBpRGcrbQTGbygtzyqdQuFhM5cP
OvrRHrK7Ajs561me4Da3NPGdkTPFMd38bCU0zeyH1585t8SKCc1SdZt9
fdx4g4+pK/slv1yeTSA9iZ8QeL1bSdDqI4BTzgSpqlJ+eUn41C/P1SLf
yOdLqz9f/580W3/66lSJ70SiaJwySJKLBlYTAW57+0xCea5MTxAkD016 j4Nl/g==
u8q7va83m9l20bmqqs8dmrs75cc5b6c2._openpgpkey.posteo.de.	3600 IN	NSEC3 1
0 250 1163B90DC54B41E0 U8Q7VA83M9L20BMQQS8DMRS75CC5B6C2 NS SOA RRSIG
DNSKEY NSEC3PARAM
u8q7va83m9l20bmqqs8dmrs75cc5b6c2._openpgpkey.posteo.de.	3600 IN	RRSIG
NSEC3 8 4 3600 20161020000000 20160929000000 39156
_openpgpkey.posteo.de.
Z0GoiBrWk9prhWLMZlZReKvDJEAt3UIxdW1qA7IMAWCv+5ahCwsM1IFG
5p1jPR4QSKwBDuB9ypYsNQMhtATN1EsieCxfwfWJbbUeHuJXD48EFIYl
ccHI40Ez6HNleF1nUlVCnme7+yW8JotS5cD6ojyiG8huuUOA0wrTs/bx
U28jvPVfuPpt9ZPZuehfp7A1HOq4IlK32LtAqPWJQ/Cve0DWKuv/HQOv
uAKenko9j+pFN8N4s61j9TC7ebFTNwD0QXhinvQ1aU1O5DrNj4PFb7ON
8CgApOtU36Fj1cXgt2ZeCqAWF+5Jahtefz6CJnedpVfxq4ohWAyhXf6Z ho+OjA==

;; Query time: 36 msec
;; SERVER: 185.67.36.41#53(185.67.36.41)
;; WHEN: Tue Oct 11 10:51:28 2016
;; MSG SIZE  rcvd: 1222

The last NSEC3 records seems rather strange to me:
u8q7va83m9l20bmqqs8dmrs75cc5b6c2._openpgpkey.posteo.de.	3600 IN	NSEC3 1
0 250 1163B90DC54B41E0 U8Q7VA83M9L20BMQQS8DMRS75CC5B6C2 NS SOA RRSIG
DNSKEY NSEC3PARAM

That looks like a loop! Apart from that, the first NSEC3 record already
proofed that the domain does not exist.

I'm not entirely sure this is the reason BIND9 fails to validate this
record. However, given that other recursive name server resolve this
domain name I'm wondering if BIND9 is too strictly validating?

Thank you,
Daniel