[Opendnssec-user] NSEC3 resalting again

Yuri Schaeffer yuri at nlnetlabs.nl
Thu Oct 20 20:06:17 UTC 2016

Hi Håvard,

> it looks like the earlier problem I've had with a failure to remove
> the old NSEC3PARAM resource records in a re-salt event is back again,
> this time with OpenDNSSEC 1.4.10.

We have been able to reproduce the problem today. The offending sequence
of events is:

- ods-signer retransfer  (do an AXFR)
- Perform a resalt

NSEC3PARAM record gets a special treatment during XFR since it is
generated by OpenDNSSEC and it is not expected from the input zone. When
processing changes after a AXFR the NSEC3PARAM record is skipped. This
however causes any existing NSEC3PARAM record marked as 'added'.

Later in the NSEC3 generate stage this causes the existing record to
stay in the zone. Triggering your case.

I do have a patch that works but we still have to evaluate if it is
entirely correct.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20161020/bcefdedf/attachment.bin>

More information about the Opendnssec-user mailing list