[Opendnssec-user] empty non-terminal

Fri Jul 9 09:17:01 UTC 2010

Hi,

I have a small problem with opendnssec. Signing/auditing a zone with
empty non-terminals with NSEC3 would fail with:

Jul  9 10:28:34 DNStest ods-auditor[20965]: Auditor started
Jul  9 10:28:34 DNStest ods-auditor[20965]: Auditor starting on test1234.si
Jul  9 10:28:34 DNStest ods-auditor[20965]: Auditing test1234.si zone :
NSEC3 SIGNED
Jul  9 10:28:34 DNStest ods-auditor[20965]: Found NSEC3 record for
hashed domain which couldn't be found in the zone
(cg85dnhpaim1i60vs63tuhhemt20fe5r.test1234.si)
Jul  9 10:28:34 DNStest ods-auditor[20965]: Can't find NSEC3 for empty
nonterminal z.test1234.si (should be
fc1hjftfeg9gfjj50gtc7gilpiocip1u.test1234.si)
Jul  9 10:28:34 DNStest ods-auditor[20965]: Finished auditing
test1234.si zone
Jul  9 10:28:34 DNStest ods-signerd: Auditor result: 3

The zone is:

# dig axfr test1234.si @kanin

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> axfr test1234.si @kanin
;; global options:  printcmd
test1234.si.        21600    IN    SOA    kanin.arnes.si.
hostmaster.arnes.si. 2010070900 28800 7200 3600000 21600
test1234.si.        172800    IN    TXT    "v=spf1 a mx ip4:193.2.1.74 ?all"
test1234.si.        172800    IN    NS    kanin.arnes.si.
test1234.si.        172800    IN    NS    nanos.arnes.si.
test1234.si.        172800    IN    MX    10 avs1.arnes.si.
test1234.si.        172800    IN    MX    10 avs2.arnes.si.
test1234.si.        172800    IN    MX    10 avs3.arnes.si.
x.y.z.test1234.si.    172800    IN    A    193.2.1.87
test1234.si.        21600    IN    SOA    kanin.arnes.si.
hostmaster.arnes.si. 2010070900 28800 7200 3600000 21600

It works if records z.test1234.si and y.z.test1234.si exist.

Benjamin Zwittnig,
Arnes