[Opendnssec-user] "expected covering NSEC3, got an exact match" ?

Miek Gieben miek.gieben at sidn.nl
Mon Jan 2 07:44:21 UTC 2012

[ Quoting Peter Olsson at 12:55 on December 28 in "[Opendnssec-user] "expected coverin"... ]
> Anyone know the reason for this message?
> Google doesn't give much information about this
> message in recent bind versions, other than that
> it could be because of stale NSEC3 records.
> But our signing process seems fine, and all
> signatures are current.

Maybe the bind-user list is a better place to ask?

I think what bind logs is just what it says: it is expecting
that something does not exist, but it is seeing a matching
nsec3, indicating that it came into existence.

Or, maybe bind is clever and it saw an nsec3 that
covers: a -> c, indicating that b does not exist.
Now it gets a new nsec3 (b -> c), that shouldn't
exist if you still believe the first nsec3.

Miek Gieben

More information about the Opendnssec-user mailing list