Skip to content

Wildcard at apex doesn't pass DNSSEC validation. #1101

Closed
#1179
Closed
Wildcard at apex doesn't pass DNSSEC validation.#1101
#1179
Labels
A-TestCaseArea: Test case specification or implementation of test caseP-HighPriority: Issue to be solved before other
Milestone
v2024.2

Description

@hittis
hittis
opened on Oct 3, 2022

When running zonemaster.net against zone agriwise.org it gives an error in DNSSEC for "random label" in a zone's apex where the label is expanded from a wildcard:

The name "xx--oplk4f3fgh9lksdfhu7h--xx.agriwise.org." of RR type "A" is signed by RRSIG, but the signature or signatures cannot be verified. Fetched from the nameservers with IP addresses "194.71.214.4; 194.71.214.5; 2001:41d0:701:1100::ba9; 2001:67c:240c:214::4; 2001:67c:240c:214::5; 2a02:c207:2023:8616::1; 5.189.136.199; 54.37.72.244".

The validity of the label aside, checking the RRSIG for "xx--oplk4f3fgh9lksdfhu7h--xx.agriwise.org" gives:

#delv xx--oplk4f3fgh9lksdfhu7h--xx.agriwise.org
; unsigned answer
xx--oplk4f3fgh9lksdfhu7h--xx.agriwise.org. 3098 IN A 194.9.94.85
xx--oplk4f3fgh9lksdfhu7h--xx.agriwise.org. 3098 IN A 194.9.94.86
xx--oplk4f3fgh9lksdfhu7h--xx.agriwise.org. 3098 IN RRSIG A 8 2 3600 20221102040002 20221003040002 33699 agriwise.org. pg9r3DiIq5e3MHmQFgy9ACR1+ALtKZHJK3Xpvwcti8mVOJfBeXs+N70q 1CRtaRCHUGLbnZ2gnfnBiHObiw3n5A7naS0/gp3AccbfxErTgNXtQ8px z+31QKW3wJMbOye275osRTzoDR0JJHTB/SCpGDYg3/RmOFNiY1ndQYy5 hDG3BX7SH7Y9xVrA2dSAN3aj/ZUzKdhFYN4SfwIyW8Pl2MQ/HNa420EN xmZMu4bayLWMLPAnh8t+0Sy4JGiIJS8j/Bh8xW1xDUJZNK9UtRzTx1B3 Utbxt7brU4hzkf1BzhRbWgxNWklEPSwSn05QRe0M7TWJVSYAqPNaxRRZ xVHqVg==

The RRSIG shows a labelcount of two instead of three which indicates that it is a wildcard RRSIG.
so:

#delv *.agriwise.org
; fully validated
*.agriwise.org. 3600 IN A 194.9.94.86
*.agriwise.org. 3600 IN A 194.9.94.85
*.agriwise.org. 3600 IN RRSIG A 8 2 3600 20221102040002 20221003040002 33699 agriwise.org. pg9r3DiIq5e3MHmQFgy9ACR1+ALtKZHJK3Xpvwcti8mVOJfBeXs+N70q 1CRtaRCHUGLbnZ2gnfnBiHObiw3n5A7naS0/gp3AccbfxErTgNXtQ8px z+31QKW3wJMbOye275osRTzoDR0JJHTB/SCpGDYg3/RmOFNiY1ndQYy5 hDG3BX7SH7Y9xVrA2dSAN3aj/ZUzKdhFYN4SfwIyW8Pl2MQ/HNa420EN xmZMu4bayLWMLPAnh8t+0Sy4JGiIJS8j/Bh8xW1xDUJZNK9UtRzTx1B3 Utbxt7brU4hzkf1BzhRbWgxNWklEPSwSn05QRe0M7TWJVSYAqPNaxRRZ xVHqVg==

So it should be valid in the test. Or am I missing something critical?

Metadata

Metadata

Assignees

No one assigned

    Labels

    A-TestCaseArea: Test case specification or implementation of test caseP-HighPriority: Issue to be solved before other

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions