[Opendnssec-user] NSEC3 resalting again

Havard Eidnes he at uninett.no
Mon Oct 24 15:32:54 UTC 2016

>> it looks like the earlier problem I've had with a failure to remove
>> the old NSEC3PARAM resource records in a re-salt event is back again,
>> this time with OpenDNSSEC 1.4.10.
> We have been able to reproduce the problem today. The offending sequence
> of events is:
> - ods-signer retransfer  (do an AXFR)
> - Perform a resalt
> NSEC3PARAM record gets a special treatment during XFR since it is
> generated by OpenDNSSEC and it is not expected from the input zone. When
> processing changes after a AXFR the NSEC3PARAM record is skipped. This
> however causes any existing NSEC3PARAM record marked as 'added'.
> Later in the NSEC3 generate stage this causes the existing record to
> stay in the zone. Triggering your case.
> I do have a patch that works but we still have to evaluate if it is
> entirely correct.

Thanks, that's good news.  Sorry I went sort of quiet after my
initial message.


- Håvard

More information about the Opendnssec-user mailing list