[Opendnssec-user] NSEC3 failure?

Yuri Schaeffer yuri at nlnetlabs.nl
Fri Apr 1 18:30:48 UTC 2016

> ...and if I'm not terribly mistaken, the three zones which have been
> flagged in this way (yep, two more popped up) so far have all been
> added to our OpenDNSSEC setup after we upgraded to 1.4.9.

I think there is a relation but no causation in this case. They are
probably added around the same time and thus resalted at the same time.
Though not entirely sure on that.

I do have a possible fix ready.
https://github.com/yschaeff/opendnssec/tree/double_nsec3param if you are
feeling adventurous. It passes our regression tests but I wasn't able to
reproduce the yet so I'm not 100 percent sure it is a fix.

I think there is a window between a resalt and a manual resign or
incoming zone transfer where this double nsec3param can occur. I hope
that I can reproduce it soon with this new insight.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160401/2a7e0b9e/attachment.bin>

More information about the Opendnssec-user mailing list