[Opendnssec-user] "expected covering NSEC3, got an exact match" ?

Peter Olsson pol at leissner.se
Mon Jan 2 08:56:46 UTC 2012

On Mon, Jan 02, 2012 at 08:44:21AM +0100, Miek Gieben wrote:
> [ Quoting Peter Olsson at 12:55 on December 28 in "[Opendnssec-user] "expected coverin"... ]
> > Anyone know the reason for this message?
> >
> > Google doesn't give much information about this
> > message in recent bind versions, other than that
> > it could be because of stale NSEC3 records.
> > But our signing process seems fine, and all
> > signatures are current.
> Maybe the bind-user list is a better place to ask?

Good idea, will try that (should have thought of that

Aha, just found this in their October archive:
We never did manage to track down exactly what was wrong with the
NSEC3 records, but the problem seems to have been cured by the zone
signer being upgraded from OpenDNSSEC 1.2.1 to 1.3.2.

Looks like I'm in for a long overdue upgrade then, as soon
as the ldns problem with new year 2012 is fixed.


Peter Olsson

> I think what bind logs is just what it says: it is expecting
> that something does not exist, but it is seeing a matching
> nsec3, indicating that it came into existence.
> Or, maybe bind is clever and it saw an nsec3 that
> covers: a -> c, indicating that b does not exist.
> Now it gets a new nsec3 (b -> c), that shouldn't
> exist if you still believe the first nsec3.
> Regards,
> Miek Gieben

More information about the Opendnssec-user mailing list