[Opendnssec-user] Upgrading to 1.1

Matthijs Mekking matthijs at NLnetLabs.nl
Wed Jul 14 09:47:19 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Mathieu,

That are indeed a lot of NSEC3 records. Could you share with me the
kasp.xml file you are using for this zone (off list if you like)?

Best regards,

Matthijs

On 07/07/2010 03:36 PM, Mathieu Arnold wrote:
> Today, I upgraded from 1.0 to 1.1, and, it kinda worked ok, for most of
> the zones I sign, but now, for some, I have problems.
> 
> The simplest zone I have problems with is the following :
> 
> # cat d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa
> $TTL	1d
> @			IN	SOA	ns1.absolight.net.       root.absolight.com. (
>                         2010030500     ;serial
>                         86400 ; refresh 24 hour
>                         3600 ; retry 1 hour
>                         604800 ; expire 7 days
>                         1H ; TTL 1 hour
> )
> 			IN	NS	ns1.absolight.net.
> 			IN	NS	ns2.absolight.net.
> 			IN	NS	ns3.absolight.net.
> 			IN	NS	ns4.absolight.net.
> 			IN	TXT	"$Abso: d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa,v 1644124c9d58 2010/03/05 13:03:53 mat $"
> 
> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0		IN	PTR	6to4.th2.absolight.net.
> 
> which is quite simple.
> 
> Now, when I try to sign it, it just goes bad.
> 
> # /usr/local/bin/ods-auditor -c /usr/local/etc/opendnssec/conf.xml -s /usr/local/var/opendnssec/tmp/d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa.finalized -z d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa
> Auditor started
> Auditor starting on d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa
> 6: Auditing d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa zone : NSEC3 SIGNED
> 4: Found NSEC3 record for hashed domain which couldn't be found in the zone (00cdvvl050g9up4icqk4op0ikf7g0gig.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 4: Found NSEC3 record for hashed domain which couldn't be found in the zone (1o1mgf2ec6k5kjksm4h189q6af2j0ena.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 4: Found NSEC3 record for hashed domain which couldn't be found in the zone (2gs3mlhpebvslofog6b2n6tdn0d33f4l.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 4: Found NSEC3 record for hashed domain which couldn't be found in the zone (4eau1e79pg4rnrn85eeuvv8js6rin18u.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 4: Found NSEC3 record for hashed domain which couldn't be found in the zone (5s1fupjlaa2vojnva38imcl75rgj1hg4.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 4: Found NSEC3 record for hashed domain which couldn't be found in the zone (7ff055a0tl6od6bbnbbpqj7cncqvkv4n.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 4: Found NSEC3 record for hashed domain which couldn't be found in the zone (8viqg0jshvor9g4bt4rig9vn5ged98kj.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 4: Found NSEC3 record for hashed domain which couldn't be found in the zone (bb656qcv2gapph8ommteu7kvk9lmnb0d.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 4: Found NSEC3 record for hashed domain which couldn't be found in the zone (gg6flu8onjo3ogrgqbirjtb5tat5pqcg.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 3: ERROR : expected  at d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa (hcioin8r04jq695qu8k0r24l1m21sri8.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) but found  DNSKEY NS NSEC3PARAM RRSIG SOA TXT
> 4: Found NSEC3 record for hashed domain which couldn't be found in the zone (i5s1j8knoj8v9heecb26mgo5rvmea0nj.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 4: Found NSEC3 record for hashed domain which couldn't be found in the zone (j80tg96tv6n63ol3j9s3haphvjgsurt3.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 4: Found NSEC3 record for hashed domain which couldn't be found in the zone (jjpc0ru5lfeveqo5fv2nekfnrjr8p8lq.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 4: Found NSEC3 record for hashed domain which couldn't be found in the zone (nqcesslkhac47vlmhu1s8dhr4bsa9tet.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 4: Found NSEC3 record for hashed domain which couldn't be found in the zone (q2mie3a9ushbdbk4itlp6vj8vcckg54g.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 4: Found NSEC3 record for hashed domain which couldn't be found in the zone (qerso7o14hqe3hp1i58ne8lkd49o332f.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
> 6: Finished auditing d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa zone
> 
> I don't really understand, but I think that it generates NSEC3 records for way too much things.
> 
> Attached are the temp files.
> 
> 
> 
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMPYenAAoJEA8yVCPsQCW5mEkH/3PdxmyqJXPAM6sCR+u3NQAx
t+jL8Rvh985BAiZW3vHpN5xRo6aWhEva227Ey+6kZXEwgral2jocZL4SCmHWSpUY
eSf8Ri5xmZiDeZUxBESHxtmSJdSEAFQs2Va7/rm9a5XAoJiC0Qko8PCYy11clpWV
x5ijZ0XTYOfB/rBu7AVst+YIiXhQzAlkEIm/MCzgwhTcIKWXpfGGyRDlEDdUE9Mc
QmRmWf/Z0smYaMUrGfGlIZX+0aNEwV3FWem/UQgQM8YGUgna2n45A+cpH3y74nwG
d5vgAx8pXdNigEySBTjoxuMNN39xq/+UGd8QFuAv8Mt0pNnMHBlL2VvDlW9I6HI=
=sAOU
-----END PGP SIGNATURE-----

More information about the Opendnssec-user mailing list