[Opendnssec-user] NSEC3 failure?

Havard Eidnes he at uninett.no
Fri Apr 1 08:31:26 UTC 2016


Hm,

seems I need to follow up on my own posting, as I see that all
the three "bad" zones have *two* NSEC3PARAM records:

255.39.128.in-addr.arpa.  0 IN NSEC3PARAM   1 0 5 45F39B9A60C14581
255.39.128.in-addr.arpa.  0 IN NSEC3PARAM   1 0 5 D9E0ED2449E3721D

while the good one only has one:

255.39.128.in-addr.arpa.  0 IN NSEC3PARAM   1 0 5 45F39B9A60C14581

I bet that's what's causing BIND's dnssec-verify to balk at the
"bad" zones.

Regards,

- Håvard



More information about the Opendnssec-user mailing list