[nsd-users] intentional bad DNSSEC and NSEC3

Michael A. Peters mpeters at domblogger.net
Mon Apr 10 11:50:41 CEST 2017


On 04/10/2017 02:42 AM, Jelte Jansen wrote:
> On 2017-04-09 06:54, Michael A. Peters wrote:
>> Hello list,
>>
>> I am attempting to create a single record in a zone file that will not
>> DNSSEC validate. The purpose of this is to give myself a means of
>> checking DNSSEC validation on my local systems.
>>
>> What I am doing is creating both an A and AAAA record with the name
>> ffinvalid and then after signing the zone, using sed to change ffinvalid
>> to invalid.
>>
>> What I don't know is what impact, if any, that will have on NSEC3
>> records. Will that break by NSEC3 records?
>
> yes the NSEC(3) chain will be broken then too; it will point to the
> nonexistent ffinvalid name and not mention the now existing invalid name.
>
> If you only want to create one bogus RRSIG for that name, and still have
> everything else be correct, it is probably better to either change the
> signature data in the RRSIG, or the rdata field of the ffinvalid record
> (e.g. give ffinvalid A an address 192.0.2.1 and use sed to change it to
> 192.0.2.2, and similar for the AAAA) after signing.
>
> Jelte
>

Changing the IP address makes much more sense, just as easy too. Thank you.


More information about the nsd-users mailing list