[Opendnssec-user] "expected covering NSEC3, got an exact match" ?

Paul Wouters paul at nohats.ca
Mon Jan 2 20:49:27 UTC 2012

On Mon, 2 Jan 2012, Miek Gieben wrote:

>> Google doesn't give much information about this
>> message in recent bind versions, other than that
>> it could be because of stale NSEC3 records.
>> But our signing process seems fine, and all
>> signatures are current.
> Maybe the bind-user list is a better place to ask?
> I think what bind logs is just what it says: it is expecting
> that something does not exist, but it is seeing a matching
> nsec3, indicating that it came into existence.
> Or, maybe bind is clever and it saw an nsec3 that
> covers: a -> c, indicating that b does not exist.
> Now it gets a new nsec3 (b -> c), that shouldn't
> exist if you still believe the first nsec3.

This can happens when you have removed a record during rollover.
dnssec-signzone keeps the old DNSKEY signatures for a time period without
really looking at the records (it only fixes the nsec* chains for
the current dnskey).

The latest bind had an option to just always drop the previous dnskey's


More information about the Opendnssec-user mailing list