Do not fail on missing GLUE records

BenBE commented 1 year ago

Let's consider enumerating arpa.:

# n3map -v -v -v -p arpa.
n3map 0.6.5: starting mapping of arpa.
looking up nameservers for zone arpa.
n3map: fatal: could not resolve host 'm.ns.arpa.': [Errno -2] Name or service not known

Running dig ns arpa. shows the full GLUE records, though asking for the A records directly does not yield a result:

$ dig ns arpa.
; <<>> DiG 9.18 <<>> ns arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40937
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 12, AUTHORITY: 0, ADDITIONAL: 25

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;arpa.                          IN      NS

;; ANSWER SECTION:
arpa.                   518400  IN      NS      a.ns.arpa.
arpa.                   518400  IN      NS      b.ns.arpa.
arpa.                   518400  IN      NS      c.ns.arpa.
arpa.                   518400  IN      NS      d.ns.arpa.
arpa.                   518400  IN      NS      e.ns.arpa.
arpa.                   518400  IN      NS      f.ns.arpa.
arpa.                   518400  IN      NS      g.ns.arpa.
arpa.                   518400  IN      NS      h.ns.arpa.
arpa.                   518400  IN      NS      i.ns.arpa.
arpa.                   518400  IN      NS      k.ns.arpa.
arpa.                   518400  IN      NS      l.ns.arpa.
arpa.                   518400  IN      NS      m.ns.arpa.

;; ADDITIONAL SECTION:
a.ns.arpa.              518400  IN      A       198.41.0.4
a.ns.arpa.              518400  IN      AAAA    2001:503:ba3e::2:30
b.ns.arpa.              518400  IN      A       199.9.14.201
b.ns.arpa.              518400  IN      AAAA    2001:500:200::b
c.ns.arpa.              518400  IN      A       192.33.4.12
c.ns.arpa.              518400  IN      AAAA    2001:500:2::c
d.ns.arpa.              518400  IN      A       199.7.91.13
d.ns.arpa.              518400  IN      AAAA    2001:500:2d::d
e.ns.arpa.              518400  IN      A       192.203.230.10
e.ns.arpa.              518400  IN      AAAA    2001:500:a8::e
f.ns.arpa.              518400  IN      A       192.5.5.241
f.ns.arpa.              518400  IN      AAAA    2001:500:2f::f
g.ns.arpa.              518400  IN      A       192.112.36.4
g.ns.arpa.              518400  IN      AAAA    2001:500:12::d0d
h.ns.arpa.              518400  IN      A       198.97.190.53
h.ns.arpa.              518400  IN      AAAA    2001:500:1::53
i.ns.arpa.              518400  IN      A       192.36.148.17
i.ns.arpa.              518400  IN      AAAA    2001:7fe::53
k.ns.arpa.              518400  IN      A       193.0.14.129
k.ns.arpa.              518400  IN      AAAA    2001:7fd::1
l.ns.arpa.              518400  IN      A       199.7.83.42
l.ns.arpa.              518400  IN      AAAA    2001:500:9f::42
m.ns.arpa.              518400  IN      A       202.12.27.33
m.ns.arpa.              518400  IN      AAAA    2001:dc3::35

$ dig a a.ns.arpa.
; <<>> DiG 9.18 <<>> a a.ns.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 63802
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;a.ns.arpa.                     IN      A

;; AUTHORITY SECTION:
arpa.                   86400   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2023021200 1800 900 604800 86400

If you provide an authoritive nameserver, in this case both . and arpa. are served by essentially the same servers from root-servers.net., there is two issues further arising:

Number one is: Some server's won't respond properly to queries (as can be seen with a.root-servers.net.):

$ n3map -v -v -v -p a.root-servers.net. arpa.
n3map -v -v -v -p a.root-servers.net. arpa.
n3map 0.6.5: starting mapping of arpa.
checking SOA...
query: arpa.; ns = 198.41.0.4 (a.root-servers.net.); rrtype = SOA
warning: timeout reached when waiting for response from 198.41.0.4 (a.root-servers.net.), 4 retries left
query: arpa.; ns = 198.41.0.4 (a.root-servers.net.); rrtype = SOA
warning: timeout reached when waiting for response from 198.41.0.4 (a.root-servers.net.), 3 retries left
query: arpa.; ns = 198.41.0.4 (a.root-servers.net.); rrtype = SOA
warning: timeout reached when waiting for response from 198.41.0.4 (a.root-servers.net.), 2 retries left
query: arpa.; ns = 198.41.0.4 (a.root-servers.net.); rrtype = SOA
warning: timeout reached when waiting for response from 198.41.0.4 (a.root-servers.net.), 1 retries left
query: arpa.; ns = 198.41.0.4 (a.root-servers.net.); rrtype = SOA
warning: timeout reached when waiting for response from 198.41.0.4 (a.root-servers.net.), 0 retries left
warning: removed misbehaving/unresponsive nameserver 198.41.0.4 (a.root-servers.net.)
n3map: fatal: ran out of working nameservers!

Number two can be seen with b.root-servers.net.:

$ n3map -v -v -v -p b.root-servers.net. arpa.
n3map 0.6.5: starting mapping of arpa.
checking SOA...
query: arpa.; ns = 199.9.14.201 (b.root-servers.net.); rrtype = SOA
checking DNSKEY...
query: arpa.; ns = 199.9.14.201 (b.root-servers.net.); rrtype = DNSKEY
detecting zone type...
query: c2ddce000b916320.arpa.; ns = 199.9.14.201 (b.root-servers.net.); rrtype = A
zone uses NSEC records
starting enumeration in mixed query mode...
query: arpa.; ns = 199.9.14.201 (b.root-servers.net.); rrtype = NSEC
received NSEC RR: arpa. 86400   IN      NSEC    as112.arpa.     NS SOA RRSIG NSEC DNSKEY
covering NSEC RR found: arpa.   86400   IN      NSEC    as112.arpa.     NS SOA RRSIG NSEC DNSKEY
discovered owner: arpa. NS SOA RRSIG NSEC DNSKEY
query: as112.arpa.; ns = 199.9.14.201 (b.root-servers.net.); rrtype = NSEC
error: no NSEC RR received
Maybe the zone doesn't support DNSSEC or uses NSEC3 RRs                                                                                                                                      
or the server 199.9.14.201 (b.root-servers.net.) does not allow NSEC queries.                                                                                                                
Perhaps try using --query-mode=A                                                                                                                                                             
warning: 0 errors left for 199.9.14.201 (b.root-servers.net.)
warning: removed misbehaving/unresponsive nameserver 199.9.14.201 (b.root-servers.net.)
;; walking arpa.: records =   1; queries =   5; ................................................................................................................................. q/s = 39 ;;
n3map: fatal: ran out of working nameservers!

Only with c.root-servers.net. (and the others in the NS RRset), the enumeration succeeds:

$ n3map -v -v -v -p c.root-servers.net. arpa.
n3map 0.6.5: starting mapping of arpa.
checking SOA...
query: arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = SOA
checking DNSKEY...
query: arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = DNSKEY
detecting zone type...
query: 2dde43efde20eedf.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = A
zone uses NSEC records
starting enumeration in mixed query mode...
query: arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: arpa. 86400   IN      NSEC    as112.arpa.     NS SOA RRSIG NSEC DNSKEY
covering NSEC RR found: arpa.   86400   IN      NSEC    as112.arpa.     NS SOA RRSIG NSEC DNSKEY
discovered owner: arpa. NS SOA RRSIG NSEC DNSKEY
query: as112.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: as112.arpa.   86400   IN      NSEC    e164.arpa.      NS DS RRSIG NSEC
covering NSEC RR found: as112.arpa.     86400   IN      NSEC    e164.arpa.      NS DS RRSIG NSEC
discovered owner: as112.arpa.   NS DS RRSIG NSEC
query: e164.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: e164.arpa.    86400   IN      NSEC    home.arpa.      NS DS RRSIG NSEC
covering NSEC RR found: e164.arpa.      86400   IN      NSEC    home.arpa.      NS DS RRSIG NSEC
discovered owner: e164.arpa.    NS DS RRSIG NSEC
query: home.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: home.arpa.    86400   IN      NSEC    in-addr.arpa.   NS RRSIG NSEC
covering NSEC RR found: home.arpa.      86400   IN      NSEC    in-addr.arpa.   NS RRSIG NSEC
discovered owner: home.arpa.    NS RRSIG NSEC
query: in-addr.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: in-addr.arpa. 86400   IN      NSEC    in-addr-servers.arpa.   NS DS RRSIG NSEC
covering NSEC RR found: in-addr.arpa.   86400   IN      NSEC    in-addr-servers.arpa.   NS DS RRSIG NSEC
discovered owner: in-addr.arpa. NS DS RRSIG NSEC
query: in-addr-servers.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: in-addr-servers.arpa. 86400   IN      NSEC    ip6.arpa.       NS DS RRSIG NSEC
covering NSEC RR found: in-addr-servers.arpa.   86400   IN      NSEC    ip6.arpa.       NS DS RRSIG NSEC
discovered owner: in-addr-servers.arpa. NS DS RRSIG NSEC
query: ip6.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: ip6.arpa.     86400   IN      NSEC    ip6-servers.arpa.       NS DS RRSIG NSEC
covering NSEC RR found: ip6.arpa.       86400   IN      NSEC    ip6-servers.arpa.       NS DS RRSIG NSEC
discovered owner: ip6.arpa.     NS DS RRSIG NSEC
query: ip6-servers.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: ip6-servers.arpa.     86400   IN      NSEC    ipv4only.arpa.  NS DS RRSIG NSEC
covering NSEC RR found: ip6-servers.arpa.       86400   IN      NSEC    ipv4only.arpa.  NS DS RRSIG NSEC
discovered owner: ip6-servers.arpa.     NS DS RRSIG NSEC
query: ipv4only.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: ipv4only.arpa.        86400   IN      NSEC    iris.arpa.      NS RRSIG NSEC
covering NSEC RR found: ipv4only.arpa.  86400   IN      NSEC    iris.arpa.      NS RRSIG NSEC
discovered owner: ipv4only.arpa.        NS RRSIG NSEC
query: iris.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: iris.arpa.    86400   IN      NSEC    a.ns.arpa.      NS DS RRSIG NSEC
covering NSEC RR found: iris.arpa.      86400   IN      NSEC    a.ns.arpa.      NS DS RRSIG NSEC
discovered owner: iris.arpa.    NS DS RRSIG NSEC
query: a.ns.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: a.ns.arpa.    86400   IN      NSEC    b.ns.arpa.      A AAAA RRSIG NSEC
covering NSEC RR found: a.ns.arpa.      86400   IN      NSEC    b.ns.arpa.      A AAAA RRSIG NSEC
discovered owner: a.ns.arpa.    A AAAA RRSIG NSEC
query: b.ns.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: b.ns.arpa.    86400   IN      NSEC    c.ns.arpa.      A AAAA RRSIG NSEC
covering NSEC RR found: b.ns.arpa.      86400   IN      NSEC    c.ns.arpa.      A AAAA RRSIG NSEC
discovered owner: b.ns.arpa.    A AAAA RRSIG NSEC
query: c.ns.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: c.ns.arpa.    86400   IN      NSEC    d.ns.arpa.      A AAAA RRSIG NSEC
covering NSEC RR found: c.ns.arpa.      86400   IN      NSEC    d.ns.arpa.      A AAAA RRSIG NSEC
discovered owner: c.ns.arpa.    A AAAA RRSIG NSEC
query: d.ns.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: d.ns.arpa.    86400   IN      NSEC    e.ns.arpa.      A AAAA RRSIG NSEC
covering NSEC RR found: d.ns.arpa.      86400   IN      NSEC    e.ns.arpa.      A AAAA RRSIG NSEC
discovered owner: d.ns.arpa.    A AAAA RRSIG NSEC
query: e.ns.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: e.ns.arpa.    86400   IN      NSEC    f.ns.arpa.      A AAAA RRSIG NSEC
covering NSEC RR found: e.ns.arpa.      86400   IN      NSEC    f.ns.arpa.      A AAAA RRSIG NSEC
discovered owner: e.ns.arpa.    A AAAA RRSIG NSEC
query: f.ns.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: f.ns.arpa.    86400   IN      NSEC    g.ns.arpa.      A AAAA RRSIG NSEC
covering NSEC RR found: f.ns.arpa.      86400   IN      NSEC    g.ns.arpa.      A AAAA RRSIG NSEC
discovered owner: f.ns.arpa.    A AAAA RRSIG NSEC
query: g.ns.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: g.ns.arpa.    86400   IN      NSEC    h.ns.arpa.      A AAAA RRSIG NSEC
covering NSEC RR found: g.ns.arpa.      86400   IN      NSEC    h.ns.arpa.      A AAAA RRSIG NSEC
discovered owner: g.ns.arpa.    A AAAA RRSIG NSEC
query: h.ns.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: h.ns.arpa.    86400   IN      NSEC    i.ns.arpa.      A AAAA RRSIG NSEC
covering NSEC RR found: h.ns.arpa.      86400   IN      NSEC    i.ns.arpa.      A AAAA RRSIG NSEC
discovered owner: h.ns.arpa.    A AAAA RRSIG NSEC
query: i.ns.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: i.ns.arpa.    86400   IN      NSEC    k.ns.arpa.      A AAAA RRSIG NSEC
covering NSEC RR found: i.ns.arpa.      86400   IN      NSEC    k.ns.arpa.      A AAAA RRSIG NSEC
discovered owner: i.ns.arpa.    A AAAA RRSIG NSEC
query: k.ns.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: k.ns.arpa.    86400   IN      NSEC    l.ns.arpa.      A AAAA RRSIG NSEC
covering NSEC RR found: k.ns.arpa.      86400   IN      NSEC    l.ns.arpa.      A AAAA RRSIG NSEC
discovered owner: k.ns.arpa.    A AAAA RRSIG NSEC
query: l.ns.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: l.ns.arpa.    86400   IN      NSEC    m.ns.arpa.      A AAAA RRSIG NSEC
covering NSEC RR found: l.ns.arpa.      86400   IN      NSEC    m.ns.arpa.      A AAAA RRSIG NSEC
discovered owner: l.ns.arpa.    A AAAA RRSIG NSEC
query: m.ns.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: m.ns.arpa.    86400   IN      NSEC    uri.arpa.       A AAAA RRSIG NSEC
covering NSEC RR found: m.ns.arpa.      86400   IN      NSEC    uri.arpa.       A AAAA RRSIG NSEC
discovered owner: m.ns.arpa.    A AAAA RRSIG NSEC
query: uri.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: uri.arpa.     86400   IN      NSEC    urn.arpa.       NS DS RRSIG NSEC
covering NSEC RR found: uri.arpa.       86400   IN      NSEC    urn.arpa.       NS DS RRSIG NSEC
discovered owner: uri.arpa.     NS DS RRSIG NSEC
query: urn.arpa.; ns = 192.33.4.12 (c.root-servers.net.); rrtype = NSEC
received NSEC RR: urn.arpa.     86400   IN      NSEC    arpa.   NS DS RRSIG NSEC
covering NSEC RR found: urn.arpa.       86400   IN      NSEC    arpa.   NS DS RRSIG NSEC
discovered owner: urn.arpa.     NS DS RRSIG NSEC
;; walking arpa.: records =  24; queries =  28; ................................................................................................................................. q/s = 30 ;;
finished mapping of arpa. in 0:00:03.463583

Would be nice if the resolution of (working) nameservers could be made more robust for cases like this.

anonion0 commented 1 year ago

This may be an issue with your DNS resolver. n3map simply relies on the system's configured resolver to get the nameserver IPs. The recursive nameserver doing the actual name resolution should be able to correctly resolve the nameserver's A records (whether glue records are involved or not). I tested various recursive nameservers, and they can resolve it no problem. Even Google's public resolver can do it:

$ dig @8.8.8.8 a.ns.arpa A
[..]
;; ANSWER SECTION:
a.ns.arpa.      87098   IN  A   198.41.0.4
[..]

Are you using a public resolver by any chance? It would be interesting to see what happens when you turn DNSSEC validation on (pretty sure the validation will fail for that NXDOMAIN response).

Of course, issues with the system resolver could be avoided by adding a full iterative resolver to n3map, but I really don't want to do that (maybe if dnspython had one already...).

For the other two issues:

The baisc idea is to just let n3map cycle through the available nameservers and it will stop using those that do not answer correctly (configurable using --max-retries and --max-errors).

If the resolution of nameservers fails, you can specify them manually and get the same behavior, e.g.:

n3map -vv -o arpa.zone {a..m}.root-servers.net arpa

The issue you had with b.root-servers.net is because by default, n3map tries to enumerate NSEC zones by making direct NSEC queries as well as the occasional A query to avoid descending into sub-zones (e.g. you can see it skip over arpa. when you enumerate the root zone). But some servers do not allow queries for NSEC records at all (only a handful of the root servers do).

The command above will spit out a bunch of errors for all the servers that don't respond to NSEC queries, but should then succeed using the remaining ones.

Alternatively, you could use --query-mode=A (short -A), which will only make A queries (but requires roughly 2x as many queries total):

n3map -Avv -o arpa.zone b.root-servers.net arpa

BenBE commented 1 year ago

I'll have a look if I can manage to capture a pcap of the initial NS resolution phase for that zone.

Though I can reproduce this issue directly by calling dig with 1.1.1.1 as the nameserver:

$ dig @1.1.1.1 a b.ns.arpa.

; <<>> DiG 9.18 <<>> @1.1.1.1 a b.ns.arpa.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 32966
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;b.ns.arpa.                     IN      A

;; AUTHORITY SECTION:
arpa.                   86400   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2023021301 1800 900 604800 86400

;; Query time: 11 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)                                                                                                                                                         
;; WHEN: Tue Feb 14 00:34:54 CET 2023                                                                                                                                                        
;; MSG SIZE  rcvd: 114                                                                                                                                                                       

$ dig +dnssec @1.1.1.1 a b.ns.arpa.                                                                                                                                       

; <<>> DiG 9.18 <<>> +dnssec @1.1.1.1 a b.ns.arpa.                                                                                                                       
; (1 server found)                                                                                                                                                                           
;; global options: +cmd                                                                                                                                                                      
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 48380
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;b.ns.arpa.                     IN      A

;; AUTHORITY SECTION:
arpa.                   86400   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2023021301 1800 900 604800 86400
arpa.                   86400   IN      RRSIG   SOA 8 1 86400 20230226180000 20230213170000 13759 arpa. Vho+SP4yE3eH/YGjL/ggoGlY3iBAU6b2jZ/mAGYZul3beBcvhXvqIq/B lMdWu1iB2+XwECSudllBrnaazAP35r96YBGnm4ugYJbMcPyeBWG6VVp4 JxECdc8a2C0E5gQVarScH1UuFlDRrUF0r1HoPkcyRaHun0/+qAAtLi3R H4Lx3YQ6UoRheN/o8xeYpMBodryACr0lk3gyrLCUsWSlUsZUknxB2SV6 Yd7Sbdirxm9XttMLULpfPwV02++1uZSnlxva6AJ3Cdm9kYmWdPndRcHo bFqlgxIp/V/+SSvm/By0kHjNcdk7CZ2mZe9UdHDdxZtRIJf1NO/mCwbx sz7i7Q==
iris.arpa.              86400   IN      NSEC    a.ns.arpa. NS DS RRSIG NSEC
iris.arpa.              86400   IN      RRSIG   NSEC 8 2 86400 20230226180000 20230213170000 13759 arpa. Yrx2ylSzLFtjzlaz91XtcgX0Hqcbn+VXR1ODX0udj5YrDseuhPJpj/eT /fJOWWnjr+M8D6hJpTnJHESPrt2IIz4A2vbFK9TR3UHr56MD8qmIs1ZP itbFohI+IiOT7WJwc9K2e34kRdrEufo26r0+VSmwJ+dvsWqt++3ljJ6o yLTjouKetRkLKmsWvmM4nwgGFuccpBvCHoae5NPZbS3EQJYXw1UnNFWV mpKCnXQ0WEhog/1yb0BziU/pr6mXvqKf6qkxGCwwaWlv1nmzO3hfwiz/ 9NyjeExprSAWFvxM+0HCnyDl6x/BOpmK8dTyEK1fx1ve+PCL6UXAmiH9 Z5ABkw==

;; Query time: 11 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Feb 14 00:35:15 CET 2023
;; MSG SIZE  rcvd: 734

I managed to work around the issues locally (with the various options mentioned).

What most confused me is, that n3map seems to completely fail if even just one nameserver cannot be resolved (???) …

anonion0 commented 1 year ago

I just discovered the same thing, 1.1.1.1 really does exhibit this (weird) behavior. Validation fails of course:

$ drill -S @1.1.1.1 a.ns.arpa A
;; Number of trusted keys: 1
;; Chasing: a.ns.arpa. A

DNSSEC Trust tree:
a.ns.arpa. (A)
|---Error in denial of existence: RR not covered by the given NSEC RRs
|---arpa. (NSEC as112.arpa. NS SOA RRSIG NSEC DNSKEY )
|   |---arpa. (DNSKEY keytag: 13759 alg: 8 flags: 256)
|       |---arpa. (DNSKEY keytag: 42581 alg: 8 flags: 257)
|       |---arpa. (DS keytag: 42581 digest type: 2)
|           |---. (DNSKEY keytag: 951 alg: 8 flags: 256)
|               |---. (DNSKEY keytag: 20326 alg: 8 flags: 257)
|---Error in denial of existence: RR not covered by the given NSEC RRs
|---iris.arpa. (NSEC a.ns.arpa. NS DS RRSIG NSEC )
    |---arpa. (DNSKEY keytag: 13759 alg: 8 flags: 256)
        |---arpa. (DNSKEY keytag: 42581 alg: 8 flags: 257)
        |---arpa. (DS keytag: 42581 digest type: 2)
            |---. (DNSKEY keytag: 951 alg: 8 flags: 256)
                |---. (DNSKEY keytag: 20326 alg: 8 flags: 257)
No trusted keys found in tree: first error was: RR not covered by the given NSEC RRs
;; Chase failed.

I'm quite confused about why the server it is acting this way, but IMHO it's clearly wrong.

anonion0 commented 1 year ago

What most confused me is, that n3map seems to completely fail if even just one nameserver cannot be resolved (???) …

That could be remedied. I'll open a another issue for it.

anonion0 / nsec3map

Do not fail on missing GLUE records #16