tobez
Consistency of NSEC3PARAMS and NSEC3 chain(s)
Validns 0.8 reports inconsistencies in the NSEC3 chain regarding mixed hash-alogrithms. Like those two NSEC3 RRs:
nt3p0u8gvljva4rhrfrsquk64ehkpfmi.de. 3600 I N NSEC3 2 1 16 0947e8799e2a1326 o0ck6cu1h02gebpq458pkefv1j5qdfm3 NS SOA RRSIG DNSKEY NSEC3PARAM 5pi10b6oo32ackimi5entgjkhtasdtru.de. 3600 IN NSEC3 1 1 16 0947e8799e2a1326 5q1jgrrol77ft0873j0pr9f41r5mtha3 A RRSIG
Unfortunately it does not detect if there is a mismatch of the salt and iterations or the Opt-In / Opt-Out Flag. Here are some examples for the cases which are not detected:
Opt-In/Opt-Out: nt3p0u8gvljva4rhrfrsquk64ehkpfmi.de. 3600 IN NSEC3 1 0 16 0947e8799e2a1326 o0ck6cu1h02gebpq458pkefv1j5qdfm3 NS SOA RRSIG DNSKEY NSEC3PARAM ljpe46seqcufhqtbho12nd877sgvohlt.de. 3600 IN NSEC3 1 1 16 0947e8799e2a1326 lm8cmbau3njoq7mhakq35btbohposf1q A RRSIG
Iterations: nt3p0u8gvljva4rhrfrsquk64ehkpfmi.de. 3600 IN NSEC3 1 1 17 0947e8799e2a1326 o0ck6cu1h02gebpq458pkefv1j5qdfm3 NS SOA RRSIG DNSKEY NSEC3PARAM db4dqnt03hg68utinuksrifbirrtm969.de. 3600 IN NSEC3 1 1 16 0947e8799e2a1326 dbjimap2ouup2nfmh1digdu2fbvkrof5 NS DS RRSIG
Salt: nt3p0u8gvljva4rhrfrsquk64ehkpfmi.de. 3600 IN NSEC3 1 1 16 DEADBEEF o0ck6cu1h02gebpq458pkefv1j5qdfm3 NS SOA RRSIG DNSKEY NSEC3PARAM vq0lr2sjgbblgehekbf6n6bv52fl3mno.de. 3600 IN NSEC3 1 1 16 0947e8799e2a1326 vvg7t4t2mqchdinbkl7b4ms8ii9l6l35 A RRSIG
The easiest way to check this is to check if each NSEC3-Record matches any NSEC3PARAM. This implies that all NSEC3 records matching a specific NSEC3PARAM have consistent salt and iterations.
