[Opendnssec-user] 1.0.0rc1 nsec3 signing bug, or some sort of newbie mistake

Dan Pritts danno at internet2.edu
Tue Dec 8 14:00:33 UTC 2009

On Tue, Dec 08, 2009 at 08:57:29AM +0000, Alexd at nominet.org.uk wrote:
> Hi Dan - 
> > I've set up opendnssec 1.0.0rc1 and softhsm 1.1.1 on an RHEL5 x64 
> system, 
> > and added an initial zone.
> Can I ask if you have updated ldns to 1.6.3? 

I haven't; i had just built everything with 1.0.0b9 a couple days ago
so when i built 1.0.0rc1 yesterday i did not bother to check for updates
to the surrounding tools & libraries.  Duh.

I'm sure this is my problem; 

> > The zone is signed by the signer, but a bunch of strange records are
> > added
> These are the NSEC3 records. If you do not need to prevent zone walking, 
> and your zone is not so large that opt-out is a requirement, then you are 
> just as well served by NSEC (which does not require the "strange records" 
> in the signed zone).

I was surprised that things looked so different between bind and
opendnssec's signed zones; As I go back to it, it looks like I had
configured bind to do NSEC, rather than NSEC3.   I thought I'd done
NSEC3 with bind but as I look at it, it looks like I did NSEC there.

thanks for all the responses and for your work on the openddnssec tools.

Dan Pritts, Sr. Systems Engineer
office: +1-734-352-4953 | mobile: +1-734-834-7224

Winter 2010 ESCC/Internet2 Joint Techs
Hosted by the University of Utah - Salt Lake City, UT
January 31 - February 4, 2010

More information about the Opendnssec-user mailing list