Hi,
I am using NSD 3.2;8 on Ubuntu. It seems that the DS type does not
properly interact with $ORIGIN when a void owner name is provided. In
other words situation 1 and 2 works as expected, but 3 doesn't.
1) Using a subdomain and $ORIGIN works fine
$ORIGIN zonename.
asubdomain DS [arg]
2) Using the complete owner name --with a "." at the end ignores the
$ORIGIN. I think that's fine.
$ORIGIN zonename.
asubdomain.zonename. DS [arg]
3) $ORIGIN is not considered and it looks the the owner name
considered for DS is the latest owner that has been considered.This is
not fine.
$ORIGIN zonename
DS [arg]
Regards,
Daniel
Here is my file to be signed :
------------------------------------
;## Delegation
$ORIGIN secuniv.seczone.net.
IN NS ns
ns IN A 192.168.216.130
;# DS of the child zone
;# Ksecuniv.seczone.net.+005+06034.ds
IN DS 6034 5 1
13f0caea47fb412ea0cfde897294a26fec3d6149 ;
xegoz-bodyv-pycuz-rebid-vymus-zelym-nisin-gymuk-zoruf-tumag-nyxix
------------------------------------
The signed file provides : I would have expected the owner name to be
secuniv.seczone.net rather ns.secuniv.seczone.net
------------------------------------
ns.secuniv.seczone.net. 3600 IN A 192.168.216.130
ns.secuniv.seczone.net. 3600 IN NS ns.unsecuniv.seczone.net.
ns.secuniv.seczone.net. 3600 IN DS 6034 5 1
13f0caea47fb412ea0cfde897294a26fec3d6149 ;
xegoz-bodyv-pycuz-rebid-vymus-zelym-nisin-gymuk-zoruf-tumag-nyxix
ns.secuniv.seczone.net. 3600 IN RRSIG DS 5 4 3600
20110922102247 20110825102247 47241 seczone.net.
CQDL2ANeVhAWMaKixqEJA2rI2TLnpR+JwXFlfYae9WiSJILp4NCEzMqRQVAfwTPqcxRV/Z7fy5MMVrfW6zqJ/z3lrTNw80MYt0cyevjJCTAouuBZVq6CLN7ouTKavRtgzmt65r/uJRsacHcRDL4gNxkOtC76L3KRH05X9zzDC2SDQ1qJYm4bwP6aWIz7dTEE3+B44ZOc0aRWbf/Z9c0TUw=;{id
= 47241}
ak1vhl4rkdu0h86c02mii2hl0aihlkkn.seczone.net. 86400 IN NSEC3
1 0 1 - apfm8u49v8mi04uheau1nnsert0oa395 NS DS RRSIG
------------------------------------
This configuration works fine :
------------------------------------
$ORIGIN secuniv.seczone.net.
IN NS ns
ns IN A 192.168.216.130
;# DS of the child zone
;# Ksecuniv.seczone.net.+005+06034.ds
secuniv.seczone.net. IN DS 6034 5 1
13f0caea47fb412ea0cfde897294a26fec3d6149 ;
xegoz-bodyv-pycuz-rebid-vymus-zelym-nisin-gymuk-zoruf-tumag-nyxix
------------------------------------
and produces :
------------------------------------
secuniv.seczone.net. 3600 IN NS ns.unsecuniv.seczone.net.
secuniv.seczone.net. 3600 IN DS 6034 5 1
13f0caea47fb412ea0cfde897294a26fec3d6149 ;
xegoz-bodyv-pycuz-rebid-vymus-zelym-nisin-gymuk-zoruf-tumag-nyxix
secuniv.seczone.net. 3600 IN RRSIG DS 5 3 3600
20110922103501 20110825103501 47241 seczone.net.
iBzzAhVgndMRtR05DpbaXI6JCo14lKYEsFmzM4J5qE69UsBQei8hyI8fxD5w3atSL7L7nAQpu6hRPRJgNbaB3Frrz9zWJ56KxOa4vys/AyTOjkBDmvPUDc/nBKuBd6kQEbFd2Y/3OXsMzCFIk3P1CkghRPd/wUcb2HWSLt+o6L5bNyMA+R93DYy267VGpU/NdL+NrAqQAyLo8mghKQg91A=;{id
= 47241}
raooahntpmc6l3l2h6gmib0sb2bv23cr.seczone.net. 86400 IN NSEC3
1 0 1 - 0lg1mgo344nrs7i5acitkgjq0gn9qmr3 NS DS RRSIG
------------------------------------
--
Daniel Migault
Orange Labs / Security Lab
+33 (0) 1 45 29 60 52
+33 (0) 6 70 72 69 58
On Thu, Aug 25, 2011 at 12:49:44PM +0200, Daniel Migault wrote:> 3) $ORIGIN is not considered and it looks the the owner name > considered for DS is the latest owner that has been considered.This is > not fine. > $ORIGIN zonename > DS [arg]works in conformance with RFC 1035, section 5.1: The last two forms represent RRs. If an entry for an RR begins with a blank, then the RR is assumed to be owned by the last stated owner. If an RR entry begins with a <domain-name>, then the owner name is reset. You'd need to use '@' to explicitly set the owner to $ORIGIN. -Peter