[Opendnssec-user] Sudden failure related to NSEC3

Havard Eidnes he at uninett.no
Fri Jul 8 22:42:57 UTC 2016


I just had the misfortune of experiencing OpenDNSSEC emit zones
which were malformed related to NSEC3.

I have a script which on our public distribution master (which is
just downstream of OpenDNSSEC) which checks zones for DNSSEC
consistency, and this evening it suddenly flagged this same
problem for a largish number of zones.

Running "ldns-verify-zone -V 2" on the copy of the zone file
resulted in:

Error: Bogus DNSSEC signature for uninett.no.   NSEC3PARAM
There were errors in the zone

and running BIND's dnssec-verify on the zone results in a large
ream of messages, some of which are

No correct RSASHA256 signature for uninett.no NSEC3PARAM
Missing NSEC3 record for uninett.no (0A3GIVR501P8JRGSHTNNEJPE7B4TAL6S.uninett.no)
Missing NSEC3 record for 6etg-landskap-sw.uninett.no (ANBEOTL2U7EG7OC0B9T1AO66L1K99P55.uninett.no)
Missing NSEC3 record for _original-serial.uninett.no (883NRS6S8UQ6HD0JH4GORS1557P10PSH.uninett.no)
Missing NSEC3 record for zino.uninett.no (S1NO4RE0NMDCL99IG2VOD6PHSK0TH5SV.uninett.no)
Expected and found NSEC3 chains not equal
Break in NSEC3 chain at: 0MUSUIT1FJV4V39O42NVI078P60KQ2RV
Break in NSEC3 chain at: 0S6OOOD7J6JB1ID779G5OBUDM330UI2H
Expected: 0SD02H0M8OH2GMG91BQODJQH7RHB76K1
Break in NSEC3 chain at: 0UMI9EQVLJ4S92QSQBGQK2VJI6CE1VQ3

It seems that out of the 378 zones we have in our setup, some 252
of those zones suddenly had developed this disease.

I took a copy of the tmp/ directory in OpenDNSSEC (and then
removed the files there), and have a copy of the "bad" zones
which came out at the other end if someone wants to take a look
at it to possibly find out how this could happen.


- Håvard

More information about the Opendnssec-user mailing list