nsd users - Feb 2012 - wildcard+ANY validation issue between NSD and Unbound

Hello,

Given this zone wtest.com:
$TTL 3600
$ORIGIN wtest.com.
@		IN	SOA	ns1.wtest.com.	ahu.example.com. (  2005092501
			8H ; refresh
			2H ; retry
			1W ; expire
			1D ; default_ttl
			)

@			IN	NS	ns1
@			IN	MX	10	smtp-servers.example.com.
@			IN	MX	15	smtp-servers
@			IN	A	9.9.9.9
*			IN	CNAME	server1
ns1			IN	A	1.2.3.4
secure			IN	MX	10 server1
server1			IN	A	1.2.3.4
*.something		IN	A	4.3.2.1


When I sign this zone with ldns-signzone (1.6.12) and configure it in NSD
(3.2.10), I observe (with Unbound 1.4.16):
$ unbound-host -v -C unbound-host-nsd.conf -t a www.something.wtest.com
www.something.wtest.com has address 4.3.2.1 (secure)
$ unbound-host -v -C unbound-host-nsd.conf -t any www.something.wtest.com
www.something.wtest.com ANY:
www.something.wtest.com.	3600	IN	A	4.3.2.1
www.something.wtest.com.	3600	IN	RRSIG	A 5 3 3600 20120323092532 20120224092532
61140 wtest.com.
N0nNjNk2wWpgw8MsSJkWi91L4iAZa3L6bJle4jZ7eSzybTvbmNP5X83db8bxNSErjvACC+QLbMcxg3LICb+msQ=
(BOGUS (security failure))
validation failure <www.something.wtest.com. ANY IN>: qtype_any proof
failed from 10.0.2.14


Doing the same with BIND (1:9.9.0-0ubuntu0~lucid12~b1) (using dnssec-signzone):
$ unbound-host -v -C unbound-host-bind.conf -t a www.something.wtest.com
www.something.wtest.com has address 4.3.2.1 (secure)
$ unbound-host -v -C unbound-host-bind.conf -t any www.something.wtest.com
www.something.wtest.com ANY:
www.something.wtest.com.	3600	IN	A	4.3.2.1
www.something.wtest.com.	3600	IN	RRSIG	A 5 3 3600 20120325073507 20120224073507
61140 wtest.com.
BA8PEvt2bNEr6ZLiOeFJQhQO6BVrj5vTFGFs4tT6vBu5fhvIYyQh1ltzSmaxzyfe9EDMP89upcjW7AQyju9upQ=www.something.wtest.com.
86400	IN	NSEC	wtest.com. A RRSIG NSEC
www.something.wtest.com.	86400	IN	RRSIG	NSEC 5 3 86400 20120325073507
20120224073507 61140 wtest.com.
LDtcA1C2qk5hYF2qUquVDSa39v18lexViUwlIa9uLGaoDYXzndOWsA0Zbu01cvcipT1GCu6gaAFLieGL/gNdbQ=
(secure)


The difference appears to be that in the ANY case, BIND adds:
www.something.wtest.com.	86400	IN	NSEC	wtest.com. A RRSIG NSEC 
www.something.wtest.com.	86400	IN	RRSIG	NSEC 5 3 86400  ?.

but as far as I can see, this offers no information not already offered by:
*.something.wtest.com.	86400	IN	NSEC	wtest.com. A RRSIG NSEC 
*.something.wtest.com.	86400	IN	RRSIG	NSEC 5 3 86400 ?

(which is present in both responses from NSD and from BIND). Yet, unbound seems
to require it.

I have sent this message to nsd-users instead of unbound-users because
regardless of who is wrong here, I fear the authoritative side is where this has
to be fixed, for compatibility. I also suspect I will reach the
Unbound-developers via this list anyway.

RFC4035 appears not to cover the interaction between ANY and NSEC at all.

I'm looking forward to any opinions on this subject. I would be happy to
repost to unbound-users if the question is deemed more suitable for that forum.

Kind regards,
Peter van Dijk

[ Quoting <peter.van.dijk at netherlabs> at 13:12 on Feb 24 in
"[nsd-users] wildcard..." ]
> RFC4035 appears not to cover the interaction between ANY and NSEC at
> all.
That's because ANY has been loosly defined (I'm not sure there is a
written
down definition) as give me the records you've got. In case you hit a
cache with an ANY query there is no guarantee what so ever that it should
all validate. I think that even for authoritative servers you can pretty
much do what you want if it receives a QTYPE = ANY.

 grtz,

-- 
    Miek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20120224/31ef1da4/attachment.bin>

Hello,

On Feb 24, 2012, at 13:12 , Peter van Dijk wrote:
> The difference appears to be that in the ANY case, BIND adds:
> www.something.wtest.com.	86400	IN	NSEC	wtest.com. A RRSIG NSEC 
> www.something.wtest.com.	86400	IN	RRSIG	NSEC 5 3 86400  ?.
> 
> but as far as I can see, this offers no information not already offered by:
> *.something.wtest.com.	86400	IN	NSEC	wtest.com. A RRSIG NSEC 
> *.something.wtest.com.	86400	IN	RRSIG	NSEC 5 3 86400 ?
This is not the difference that matters. The issue is that NSD puts
'*.something.wtest.com NSEC' in the answer section instead of the
authority section.

According to unbound (and according to my reading of RFC4035), this is okay:

;; QUESTION SECTION:
;www.something.wtest.com.	IN	 ANY

;; ANSWER SECTION:
www.something.wtest.com.	3600	IN	A	4.3.2.1
www.something.wtest.com.	3600	IN	RRSIG	A 8 3 3600 20120308000000 20120223000000
33955 wtest.com.
Cdgl41CONlwN91fMiQV6D1T2/ZaQPArjswqIR5FSnNAdTcfLuADAYJrXmBwdTTtQhfJASkZRidjfdtJOYrCgJC3d1KpeqJWnIf2mLIZtiGVkz9DxoMlXcb8O0U9moOSvPRzoWKyspQrvp6+qIM5BwqifrqbsrzSWTr4PFQehiaA
;; AUTHORITY SECTION:
*.something.wtest.com.	3600	IN	NSEC	wtest.com. A RRSIG NSEC
*.something.wtest.com.	3600	IN	RRSIG	NSEC 8 3 3600 20120308000000 20120223000000
33955 wtest.com.
BEa33+lxqfRaPw5GsM6g9TwRGcVsgA/t4oK0WMZ/sikQllvOKNfZLvbdJwTN1/yQzYhrl+xqYWuQCvMHEYCztEo9/z29sPxC/4DQrWhFmPVln1kgAPNdNIO50O8KzynbwMRq5WflvlFMrgh3B65l4I0otoqOuh9UUVYF2fGlKf4

While this (from NSD) is not:

;; QUESTION SECTION:
;www.something.wtest.com.	IN	 ANY

;; ANSWER SECTION:
*.something.wtest.com.	86400	IN	NSEC	wtest.com. A RRSIG NSEC
*.something.wtest.com.	86400	IN	RRSIG	NSEC 5 3 86400 20120323092532
20120224092532 61140 wtest.com.
YYV4+Bv6N2VATWSx7RhOJV0PkZuvxwWLk88lU5hXVcJNvqyKkGGlJQXpy19L8ftUZJN+p5nzc+lypH06LFQAmQ=www.something.wtest.com.
3600	IN	A	4.3.2.1
www.something.wtest.com.	3600	IN	RRSIG	A 5 3 3600 20120323092532 20120224092532
61140 wtest.com.
N0nNjNk2wWpgw8MsSJkWi91L4iAZa3L6bJle4jZ7eSzybTvbmNP5X83db8bxNSErjvACC+QLbMcxg3LICb+msQ=
;; AUTHORITY SECTION:
wtest.com.	3600	IN	NS	ns1.wtest.com.
wtest.com.	3600	IN	RRSIG	NS 5 2 3600 20120323092532 20120224092532 61140
wtest.com.
mIQi6S7OjXL+InBCcUIbHD2Kodt31FN2k7o4jdnHu7l0iTs58TjbiqJoL0DwZBk85NnRD/cLDrARD5X39nq5Qw=
;; ADDITIONAL SECTION:
ns1.wtest.com.	3600	IN	A	1.2.3.4
ns1.wtest.com.	3600	IN	RRSIG	A 5 3 3600 20120323092532 20120224092532 61140
wtest.com.
wO/knqEUrzk2RU4P+MRKAyk0yOmDaidYLYdT64DbmxcZmpU54tanw6rjoNpcMlHnWR/1IVw6/kozTGuTNnD6Yg=
Kind regards,
Peter van Dijk