disable dnssec for particular domain

Tony Finch dot at dotat.at
Wed Feb 7 11:59:56 UTC 2018 

Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:
>
> the name is "testa.eu".

OK, let's dig it (trimmed for relevance):

; <<>> DiG 9.13.0-dev <<>> +multiline +dnssec testa.eu
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39666
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

So we know two things from this: the domain doesn't exist, and it is not
an authenticated denial of existence - no AD flag. So you should be OK to
have a private testa.eu domain without DNSSEC validation problems.

Looking in the AUTHORITY section...

4EIKQ8ORL4U4NTG72QEDRA6P3NDA1UNC.eu. 589 IN NSEC3 1 1 1 5CA1AB1E (
                                4EIOQGMMDB0BP76VHHBDNVEN2UUNABGK
                                NS DS RRSIG )

$ NSEC3 1 1 1 5CA1AB1E *.eu
*.eu NSEC3 1 1 1 5CA1AB1E 4EIO9SO8DATCD8U1KI8ATQ6K5UTE1QCS

This NSEC3 record proves there is no wildcard (observe the hash from my
NSEC3 utility is lexically between the two hashes above).


GLIBHU0LF7IH1TGCCS68E3R5508AKBFR.eu. 589 IN NSEC3 1 1 1 5CA1AB1E (
                                GLIJ3PFD0FCA2FL8AJIASQMBMAK8F8HB
                                NS DS RRSIG )

$ NSEC3 1 1 1 5CA1AB1E testa.eu
testa.eu NSEC3 1 1 1 5CA1AB1E GLIBUAUN6HLU7OONLEAJE4PFAHE8CFEU

This NSEC3 record proves there is no signed delegation for testa.eu. There
is an opt-out bit which means that there can be any unsigned delegations
with hashes between GLIBH... and GLIJ3...


QBQ65Q6097OCPPR0EUCQNSC1FHE073UA.eu. 589 IN NSEC3 1 1 1 5CA1AB1E (
                                QBQ6OCGMT2JNIJ4JNF2CCRFI4CE4NUE0
                                NS SOA RRSIG DNSKEY NSEC3PARAM )

$ NSEC3 1 1 1 5CA1AB1E eu
eu NSEC3 1 1 1 5CA1AB1E QBQ65Q6097OCPPR0EUCQNSC1FHE073UA

This is the closest encloser proof, identifying the .eu zone apex, which
you can tell from the type bitmap as well as the matching hashes.


So according to my understanding, a local testa.eu zone should work ok.
Letsa testa it. I have configured an empty zone on my authoritative view,
with a static-stub version in the recursive view. This is a cunning hack
to make my server validate its local authoritative zones, which I use for
all the real zones on the server.

$ named-checkconf -l | grep testa
testa.eu IN rec static-stub
testa.eu IN auth master

$ dig testa.eu soa

; <<>> DiG 9.13.0-dev <<>> testa.eu soa
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38193
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

Oh dear! As you said, it doesn't work!

I think this warrants further investigation...

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Rockall, Malin, Hebrides, Bailey: West or southwest 5 to 7, occasionally gale
8 in Hebrides and Bailey. Very rough or high, occasionally rough in Malin.
Rain then showers, becoming wintry and squally except in Malin. Good,
occasionally poor.

More information about the bind-users mailing list