Error in DNSSEC10 when tested named matches wildcard

[matsduf]

DNSSEC10 tests for the existence of NSEC and NSEC3 records by sending a query for a non-existing name. The current specification (and its implementation) does not correctly handle the case when the non-existent name matches a wildcard name in the zone. A false error will be outputted:

$ zonemaster-cli --show-testcase --test DNSSEC/dnssec10 sebbe.eu
Seconds Level     Testcase       Message
======= ========= ============== =======
   1.29 ERROR     DNSSEC10       The name "xx--oplk4f3fgh9lksdfhu7h--xx.sebbe.eu." of RR type "A" is signed by RRSIG, but the signature or signatures cannot be verified. Fetched from the nameservers with IP addresses "185.86.106.232;193.187.91.106;2001:470:dff1:1:10::1;2001:470:dff1:1:10::2".


$ dig *.sebbe.eu +dns +mult
(...)
;; ANSWER SECTION:
*.sebbe.eu.		3555 IN	A 185.86.106.232
*.sebbe.eu.		3555 IN	A 193.187.91.106
*.sebbe.eu.		3555 IN	RRSIG A 7 2 3600 (
				20220407000000 20220317000000 47438 sebbe.eu.
				oUVGtFNmf6chEm98KvhFMOO9ndiBi2/HI7dQegZBmDui
				smXTDMOtcMnAzuv4aPH5/hX4M3jyTpRFc6Pe2IrsR56P
				xLUXgTQG2uxAxOgzPj8wA4PhZjuEWGI+PshjD89EsAT9
				J75E/pTI8azwaYuUhTI/e6PrHA8UmX6jVjziFYo= )

The purpose of the non-existent name is to get an NSEC or NSEC3 record, and not to handle the complexity of wildcard.

A simpler solution is to query for a non-existent record type of an existing name. That would be to query for NSEC3 in apex. That will result in a NODATA response for all compliant zones and nameservers, with an NSEC or NSEC3 record for apex (hash owner name in case of NSEC3) in the authority section.

DNSSEC10 should be updated to resolve the issue.

[sebastiannielsen]

Another way would be to specifically test the returned signature against wildcard, and if the signature sucessfully verifies a wildcard entry, then test passes. The disadvantage is that the NSEC3 test will then not be performed, but maybe it could be solved by then querying a FLD? (like xx--123--xx.xx--234--xx.sebbe.eu ) in case the wildcard test passes.

[matsduf]

Thanks for your comment.

Yes, it would be possible to determine that the response is a result of a wildcard match (there is a clue in the RRSIG record) and then match the RRSIG against the wildcard record, but for this test case it is enough to inspect the NSEC or NSEC3 record as a result of a NODATA query, i.e. querying for an NSEC3 record in apex.

The wildcard matches multiple levels so it does not help to increase the number of labels before the zone name.

$ dig xx--123--xx.xx--234--xx.sebbe.eu +dns +mult
(...)
;; ANSWER SECTION:
xx--123--xx.xx--234--xx.sebbe.eu. 1742 IN A 185.86.106.232
xx--123--xx.xx--234--xx.sebbe.eu. 1742 IN A 193.187.91.106
xx--123--xx.xx--234--xx.sebbe.eu. 1742 IN RRSIG	A 7 2 3600 (
				20220407000000 20220317000000 47438 sebbe.eu.
				oUVGtFNmf6chEm98KvhFMOO9ndiBi2/HI7dQegZBmDui
				smXTDMOtcMnAzuv4aPH5/hX4M3jyTpRFc6Pe2IrsR56P
				xLUXgTQG2uxAxOgzPj8wA4PhZjuEWGI+PshjD89EsAT9
				J75E/pTI8azwaYuUhTI/e6PrHA8UmX6jVjziFYo= )