Named does not validate zone data.

view validate {
match-recursive-only yes;
....
};

> Hello,
>
> I discovered a problem with my DLV setup - validation of non signed
> domain names fails. The special case is, that I tried to use the DLV
> zone information as slave to avoid additional network traffic during
> name resolution. For my tests I configured
> dnssec-lookaside "." trust-anchor "dnssec.iks-jena.de."; and
> zone "dnssec.iks-jena.de" {
> type slave;
> ...
> Zone transfer for this zone and lookups for zone data are working
> well. I use bind 9.4.2-P1.
>
> When I try to lookup a domain name from germany, e.g. www.stern.de I
> get:
> ; <<>> DiG 9.4.2 <<>> www.stern.de a
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50671
>
> Interestingly for a domain in hungary:
> ; <<>> DiG 9.4.2 <<>> www.vam.hu a
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9004
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
> www.vam.hu. 86400 IN A 84.206.40.8
>
> What happened you see in the log:
> validating @0x91f7800: www.stern.de A: starting
> validating @0x91f7800: www.stern.de A: looking for DLV
> validating @0x91f7800: www.stern.de A: plain DNSSEC returns unsecure (.): loo
> king for DLV
> validating @0x91f7800: www.stern.de A: looking for DLV www.stern.de.dnssec.ik
> s-jena.de
> validating @0x91f7800: www.stern.de A: looking for DLV stern.de.dnssec.iks-je
> na.de
> validating @0x91f7800: www.stern.de A: looking for DLV de.dnssec.iks-jena.de
> validating @0x91f7800: www.stern.de A: DLV lookup: empty name
> validator @0x91f7800: dns_validator_destroy
> validating @0x91f7800: www.stern.de A: starting
> validating @0x91f7800: www.stern.de A: looking for DLV
> validating @0x91f7800: www.stern.de A: plain DNSSEC returns unsecure (.): loo
> king for DLV
> validating @0x91f7800: www.stern.de A: looking for DLV www.stern.de.dnssec.ik
> s-jena.de
> validating @0x91f7800: www.stern.de A: looking for DLV stern.de.dnssec.iks-je
> na.de
> validating @0x91f7800: www.stern.de A: looking for DLV de.dnssec.iks-jena.de
> validating @0x91f7800: www.stern.de A: DLV lookup: empty name
> validator @0x91f7800: dns_validator_destroy
> validating @0x91f7800: www.stern.de A: starting
> validating @0x91f7800: www.stern.de A: looking for DLV
> validating @0x91f7800: www.stern.de A: plain DNSSEC returns unsecure (.): loo
> king for DLV
> validating @0x91f7800: www.stern.de A: looking for DLV www.stern.de.dnssec.ik
> s-jena.de
> validating @0x91f7800: www.stern.de A: looking for DLV stern.de.dnssec.iks-je
> na.de
> validating @0x91f7800: www.stern.de A: looking for DLV de.dnssec.iks-jena.de
> validating @0x91f7800: www.stern.de A: DLV lookup: empty name
> validator @0x91f7800: dns_validator_destroy
>
> validating @0x91f7800: www.vam.hu A: starting
> validating @0x91f7800: www.vam.hu A: looking for DLV
> validating @0x91f7800: www.vam.hu A: plain DNSSEC returns unsecure (.): looki
> ng for DLV
> validating @0x91f7800: www.vam.hu A: looking for DLV www.vam.hu.dnssec.iks-je
> na.de
> validating @0x91f7800: www.vam.hu A: looking for DLV vam.hu.dnssec.iks-jena.d
> e
> validating @0x91f7800: www.vam.hu A: looking for DLV hu.dnssec.iks-jena.de
> validating @0x91f7800: www.vam.hu A: looking for DLV dnssec.iks-jena.de
> validating @0x91f7800: www.vam.hu A: DLV not found
> validating @0x91f7800: www.vam.hu A: marking as answer
> validator @0x91f7800: dns_validator_destroy
>
> #####
>
> Now lets see, what we get, when I do not use a slave zone, but let
> the resolver make queries to dnssec.iks-jena.de. I do not show any
> DIG output, because all is working well, here is the log only:
> validating @0x8c12800: www.stern.de A: starting
> validating @0x8c12800: www.stern.de A: looking for DLV
> validating @0x8c12800: www.stern.de A: plain DNSSEC returns unsecure (.): loo
> king for DLV
> validating @0x8c12800: www.stern.de A: looking for DLV www.stern.de.dnssec.ik
> s-jena.de
> validating @0x8c12800: www.stern.de A: DNS_R_COVERINGNSEC
> validating @0x8c12800: www.stern.de A: covering nsec: not in range
> validating @0x8c12800: www.stern.de A: DLV lookup: wait
> validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: starting
> validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: attempting negati
> ve response validation
> validating @0x96ec000: dnssec.iks-jena.de SOA: starting
> validating @0x96ec000: dnssec.iks-jena.de SOA: attempting positive response
> validation
> validating @0x96ec000: dnssec.iks-jena.de SOA: keyset with trust 7
> validating @0x96ec000: dnssec.iks-jena.de SOA: verify rdataset (keyid=51362
> ): success
> validating @0x96ec000: dnssec.iks-jena.de SOA: marking as secure
> validator @0x96ec000: dns_validator_destroy
> validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: in authvalidated
> validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: resuming nsecvali
> date
> validating @0x96ec000: steps-jena.de.dnssec.iks-jena.de NSEC: starting
> validating @0x96ec000: steps-jena.de.dnssec.iks-jena.de NSEC: attempting po
> sitive response validation
> validating @0x96ec000: steps-jena.de.dnssec.iks-jena.de NSEC: keyset with t
> rust 7
> validating @0x96ec000: steps-jena.de.dnssec.iks-jena.de NSEC: verify rdatas
> et (keyid=51362): success
> validating @0x96ec000: steps-jena.de.dnssec.iks-jena.de NSEC: marking as se
> cure
> validator @0x96ec000: dns_validator_destroy
> validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: in authvalidated
> validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: looking for relev
> ant nsec
> validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: nsec range ok
> validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: resuming nsecvali
> date
> validating @0x96ec000: mou.cz.dnssec.iks-jena.de NSEC: starting
> validating @0x96ec000: mou.cz.dnssec.iks-jena.de NSEC: attempting positive
> response validation
> validating @0x96ec000: mou.cz.dnssec.iks-jena.de NSEC: keyset with trust 7
> validating @0x96ec000: mou.cz.dnssec.iks-jena.de NSEC: verify rdataset (key
> id=51362): success
> validating @0x96ec000: mou.cz.dnssec.iks-jena.de NSEC: marking as secure
> validator @0x96ec000: dns_validator_destroy
> validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: in authvalidated
> validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: resuming nsecvali
> date
> validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: in checkwildcard:
> *.de.dnssec.iks-jena.de
> validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: looking for relev
> ant nsec
> validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: NSEC does not cov
> er name, before NSEC
> validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: looking for relev
> ant nsec
> validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: nsec range ok
> validating @0x96eb800: www.stern.de.dnssec.iks-jena.de DLV: nonexistence proo
> f(s) found
> validator @0x96eb800: dns_validator_destroy
> validating @0x8c12800: www.stern.de A: in dlvfetched: ncache nxdomain
> validating @0x8c12800: www.stern.de A: looking for DLV stern.de.dnssec.iks-je
> na.de
> validating @0x8c12800: www.stern.de A: DNS_R_COVERINGNSEC
> validating @0x8c12800: www.stern.de A: covering nsec found: 'stern.de.dnssec.
> iks-jena.de' 'steps-jena.de.dnssec.iks-jena.de' 'supracon.de.dnssec.iks-jena.
> de'
> validating @0x8c12800: www.stern.de A: looking for DLV de.dnssec.iks-jena.de
> validating @0x8c12800: www.stern.de A: DLV lookup: wait
> validating @0x96eb800: de.dnssec.iks-jena.de DLV: starting
> validating @0x96eb800: de.dnssec.iks-jena.de DLV: attempting negative respons
> e validation
> validating @0x96ec000: dnssec.iks-jena.de SOA: starting
> validating @0x96ec000: dnssec.iks-jena.de SOA: attempting positive response
> validation
> validating @0x96ec000: dnssec.iks-jena.de SOA: keyset with trust 7
> validating @0x96ec000: dnssec.iks-jena.de SOA: verify rdataset (keyid=51362
> ): success
> validating @0x96ec000: dnssec.iks-jena.de SOA: marking as secure
> validator @0x96ec000: dns_validator_destroy
> validating @0x96eb800: de.dnssec.iks-jena.de DLV: in authvalidated
> validating @0x96eb800: de.dnssec.iks-jena.de DLV: resuming nsecvalidate
> validating @0x96ec000: mou.cz.dnssec.iks-jena.de NSEC: starting
> validating @0x96ec000: mou.cz.dnssec.iks-jena.de NSEC: attempting positive
> response validation
> validating @0x96ec000: mou.cz.dnssec.iks-jena.de NSEC: keyset with trust 7
> validating @0x96ec000: mou.cz.dnssec.iks-jena.de NSEC: verify rdataset (key
> id=51362): success
> validating @0x96ec000: mou.cz.dnssec.iks-jena.de NSEC: marking as secure
> validator @0x96ec000: dns_validator_destroy
> validating @0x96eb800: de.dnssec.iks-jena.de DLV: in authvalidated
> validating @0x96eb800: de.dnssec.iks-jena.de DLV: looking for relevant nsec
> validating @0x96eb800: de.dnssec.iks-jena.de DLV: nsec proves name exist (emp
> ty)
> validating @0x96eb800: de.dnssec.iks-jena.de DLV: resuming nsecvalidate
> validating @0x96eb800: de.dnssec.iks-jena.de DLV: nonexistence proof(s) found
> validator @0x96eb800: dns_validator_destroy
> validating @0x8c12800: www.stern.de A: in dlvfetched: ncache nxrrset
> validating @0x8c12800: www.stern.de A: looking for DLV dnssec.iks-jena.de
> validating @0x8c12800: www.stern.de A: DLV not found
> validating @0x8c12800: www.stern.de A: marking as answer
> validator @0x8c12800: dns_validator_destroy
>
> validating @0xa5ee800: www.vam.hu A: starting
> validating @0xa5ee800: www.vam.hu A: looking for DLV
> validating @0xa5ee800: www.vam.hu A: plain DNSSEC returns unsecure (.): looki
> ng for DLV
> validating @0xa5ee800: www.vam.hu A: looking for DLV www.vam.hu.dnssec.iks-je
> na.de
> validating @0xa5ee800: www.vam.hu A: DNS_R_COVERINGNSEC
> validating @0xa5ee800: www.vam.hu A: covering nsec found: 'www.vam.hu.dnssec.
> iks-jena.de' 'epages.hk.dnssec.iks-jena.de' 'rubin.org.il.dnssec.iks-jena.de'
> validating @0xa5ee800: www.vam.hu A: looking for DLV vam.hu.dnssec.iks-jena.d
> e
> validating @0xa5ee800: www.vam.hu A: DNS_R_COVERINGNSEC
> validating @0xa5ee800: www.vam.hu A: covering nsec found: 'vam.hu.dnssec.iks-
> jena.de' 'epages.hk.dnssec.iks-jena.de' 'rubin.org.il.dnssec.iks-jena.de'
> validating @0xa5ee800: www.vam.hu A: looking for DLV hu.dnssec.iks-jena.de
> validating @0xa5ee800: www.vam.hu A: DNS_R_COVERINGNSEC
> validating @0xa5ee800: www.vam.hu A: covering nsec found: 'hu.dnssec.iks-jena
> .de' 'epages.hk.dnssec.iks-jena.de' 'rubin.org.il.dnssec.iks-jena.de'
> validating @0xa5ee800: www.vam.hu A: looking for DLV dnssec.iks-jena.de
> validating @0xa5ee800: www.vam.hu A: DLV not found
> validating @0xa5ee800: www.vam.hu A: marking as answer
> validator @0xa5ee800: dns_validator_destroy
>
> ####
>
> My interpretation:
> When the data from internal slave zone are read, the return value may
> be DNS_R_EMPTYNAME, but the validator does not expect this.
>
> Additional Note:
> During my tests I discovered the different result codes for non
> existent DLV records. It depends if other entries exists or not. This
> can also be seen on ISC server:
>
> ; <<>> DiG 9.4.2 <<>> @ns-ext.isc.org. hu.dlv.isc.org. DLV
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 17889
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1
> ...
> ;; SERVER: 2001:4f8:0:2::13#53(2001:4f8:0:2::13)
>
>
> ; <<>> DiG 9.4.2 <<>> @ns-ext.isc.org. de.dlv.isc.org. DLV
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7813
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
> ...
> ;; SERVER: 2001:4f8:0:2::13#53(2001:4f8:0:2::13)
>
>
> ; <<>> DiG 9.4.2 <<>> @ns-ext.isc.org. www.stern.de.dlv.isc.org. DLV
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45108
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1
> ;; SERVER: 2001:4f8:0:2::13#53(2001:4f8:0:2::13)
>
>
> Is the NOERROR response without answer record the expected value?
>
> Now I'll ask my final question: It this an error in my configuration
> or does it look like a problem in bind itself?
>
> Regards,
> Frank
>
> --
> Frank Behrens, Osterwieck, Germany
> PGP-key 0x5B7C47ED on public servers available.
>
>

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org