Bug 372 - Use library functions to verify NSEC in drill
Use library functions to verify NSEC in drill
Product: ldns
Classification: Unclassified
Component: drill/tools
All All
: P5 enhancement
Assigned To: LDNS dev team
Depends on:
  Show dependency treegraph
Reported: 2011-03-17 10:50 CET by Willem Toorop
Modified: 2017-09-30 13:22 CEST (History)
3 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Willem Toorop 2011-03-17 10:50:29 CET
Copied from the original post:

-------- Original Message --------
Subject: [ldns-users] bug in drill?
Date: Wed, 16 Mar 2011 11:01:00 +0100
From: Gilles Massen <gilles.massen@restena.lu>
Organization: Fondation RESTENA
To: ldns-users@open.nlnetlabs.nl


When running a drill on ns1.dns.lu (or any other existing name in
dns.lu), I get an error, but still a correct result. It looks like a
bug, but so far I have been unable to tie it to something specific,
although I would suspect that it is somehow NSEC3/OptOut related. (an
NSEC zone, from the same signer, is working fine).

The command:

./drill -k root.key -DT ns1.dns.lu a

Last lines of the output:

;; Domain: dns.lu.
[T] dns.lu. 7200 IN DNSKEY 256 3 8 ;{id = 41485 (zsk), size = 1024b}
dns.lu. 7200 IN DNSKEY 256 3 8 ;{id = 16129 (zsk), size = 1024b}
dns.lu. 7200 IN DNSKEY 257 3 8 ;{id = 13736 (ksk), size = 2048b}
[B] Error verifying denial of existence for ns1.dns.lu. DS: General LDNS
;; No ds record for delegation
;; Domain: ns1.dns.lu.
;; No DNSKEY record found for ns1.dns.lu.
[T] ns1.dns.lu. 86400   IN      A

This is ldns 1.6.8.


Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473
ldns-users mailing list
Comment 1 Willem Toorop 2011-03-17 11:40:31 CET
On line 570 of securetrace.c ldns_verify_denial is called to check the non existence of a record. The function should return the relevant records in the - as a reference parameter given - nsec_rrs and nsec_rr_sigs pointers. However, it only does so for NSEC records and not for NSEC3 records; Even though the primary task of the function (verifying the denial) is also performed for NSEC3 records.

Looking closer, the strategy in ldns_verify_denial is different for NSEC and NSEC3. For NSEC, the function mimics the behavior of the library function ldns_dnssec_verify_denial, allowing it to return the relevant nsec records (with the signatures).
For NSEC3, the library function ldns_dnssec_verify_denial_nsec3 is simply called and not mimicked. Therefor not being able to return the relevant NSEC3 records.

It does seem to me that using library functions (as is done for NSEC3) is preferable over mimicking them (as done for NSEC). Because drill does not do that for NSEC, it probably does not behave correctly to wildcard NSEC records (because they are covered in the library function, but not in the mimicked behavior in drill). However, unfortunately the library function does not return the specific nsec(3) record to be verified for having a correct signature later. This is unfortunate because the function itself also does not verify the NSEC's signature.

To resolve the issue, it seems to me that the library functions should indicate which nsec(3) record was used that confirmed the denial of existence. I guess the current functions should be modified to hold two reference parameters (like the drill function does) and be renamed (so we do not change the API). Two wrappers for those functions should then be made with the current function names (ldns_dnssec_verify_denial and ldns_dnssec_verify_denial_nsec3) to maintain the current API.
Comment 2 Willem Toorop 2011-03-18 17:11:45 CET
(In reply to comment #1)
I have performed these modifications in trunk,but I keep ticket open, because we might want to handle NSEC records the same way.