[Opendnssec-user] NSEC3 failure?

[Yuri Schaeffer]

Hi Håvard,

> Apr  1 02:50:06 hugin ods-signerd: [STATS] 255.39.128.in-addr.arpa 2016040100 RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=2 reused=237 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] 
> Apr  1 04:50:07 hugin ods-signerd: [STATS] 255.39.128.in-addr.arpa 2016040101 RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=5 reused=234 time=1(sec) avg=5(sig/sec)] TOTAL[time=1(sec)] 
> Apr  1 06:50:06 hugin ods-signerd: [STATS] 255.39.128.in-addr.arpa 2016040102 RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=5 reused=234 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] 
> 
> When I realized this was happening, I manually initiated a
> signing via "ods-signer sign 255.39.128.in-addr.arpa", and this
> has apparently cured the problem:
> 
> Apr  1 07:41:47 hugin ods-signerd: [STATS] 255.39.128.in-addr.arpa 2016040103 RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=2 reused=237 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] 
> 
> Now, manually verifying whether the NSEC3 records are OK is
> currently above what I do...
> 
> Does anyone have an idea what more needs to be done to zero in on
> this problem?

Hmm. My first guess would be that it involves a resalt. Your log lines
seem to indicate that no new NSECS are being generated. Yet a resign
solves the problem. Could you compare the NSEC3PARAM from the failing
zone to the one after the manual resign?

//Yuri

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160401/f82993b8/attachment.bin>