[nsd-users] intentional bad DNSSEC and NSEC3

Jelte Jansen jelte.jansen at sidn.nl
Mon Apr 10 09:42:01 UTC 2017


On 2017-04-09 06:54, Michael A. Peters wrote:
> Hello list,
> 
> I am attempting to create a single record in a zone file that will not
> DNSSEC validate. The purpose of this is to give myself a means of
> checking DNSSEC validation on my local systems.
> 
> What I am doing is creating both an A and AAAA record with the name
> ffinvalid and then after signing the zone, using sed to change ffinvalid
> to invalid.
> 
> What I don't know is what impact, if any, that will have on NSEC3
> records. Will that break by NSEC3 records?

yes the NSEC(3) chain will be broken then too; it will point to the
nonexistent ffinvalid name and not mention the now existing invalid name.

If you only want to create one bogus RRSIG for that name, and still have
everything else be correct, it is probably better to either change the
signature data in the RRSIG, or the rdata field of the ffinvalid record
(e.g. give ffinvalid A an address 192.0.2.1 and use sed to change it to
192.0.2.2, and similar for the AAAA) after signing.

Jelte




More information about the nsd-users mailing list