[Opendnssec-user] NSEC3 failure?

Havard Eidnes he at uninett.no
Fri Apr 1 07:42:36 UTC 2016 

Hi,

our zones are set up to use NSEC3 for authenticated denial of
existence.  In our setup, we let OpenDNSSEC do zone transfers in
and out (as explained before), but on the public distribution
master we run periodic checks of all the zones using both
ldns-verify-zone and BIND's dnssec-verify program.

This morning, dnssec-verify flagged a problem for one of our
zones, where all the problems are related to NSEC3 records which
dnssec-verify thinks are missing:

Loading zone '255.39.128.in-addr.arpa' from file 'zones/255.39.128.in-addr.arpa'
Verifying the zone using the following algorithms: RSASHA256.
Missing NSEC3 record for 255.39.128.in-addr.arpa (NAKEP4OF03QEFOD18FBGE5GTKBLV4BHK.255.39.128.in-addr.arpa)
Missing NSEC3 record for 10.255.39.128.in-addr.arpa (6U9IB2FVPQS353THQ1SJ2UGN32KFDNDB.255.39.128.in-addr.arpa)
...

It does this for all the records in the zone.

The checker script preserves a copy of the zone which is flagged
with errors.  All the "bad" zones do have NSEC3 records in
appropriate quantities.

The zone has been automatically signed three times where the
resulting transferred zone to the slave (or "public master")
fails the check:

Apr  1 02:50:06 hugin ods-signerd: [STATS] 255.39.128.in-addr.arpa 2016040100 RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=2 reused=237 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] 
Apr  1 04:50:07 hugin ods-signerd: [STATS] 255.39.128.in-addr.arpa 2016040101 RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=5 reused=234 time=1(sec) avg=5(sig/sec)] TOTAL[time=1(sec)] 
Apr  1 06:50:06 hugin ods-signerd: [STATS] 255.39.128.in-addr.arpa 2016040102 RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=5 reused=234 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] 

When I realized this was happening, I manually initiated a
signing via "ods-signer sign 255.39.128.in-addr.arpa", and this
has apparently cured the problem:

Apr  1 07:41:47 hugin ods-signerd: [STATS] 255.39.128.in-addr.arpa 2016040103 RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=2 reused=237 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] 

Now, manually verifying whether the NSEC3 records are OK is
currently above what I do...

Does anyone have an idea what more needs to be done to zero in on
this problem?

Regards,

- Håvard

More information about the Opendnssec-user mailing list