[Opendnssec-user] NSEC3 resalting again
Havard Eidnes
he at uninett.no
Mon Oct 24 15:32:54 UTC 2016
>> it looks like the earlier problem I've had with a failure to remove
>> the old NSEC3PARAM resource records in a re-salt event is back again,
>> this time with OpenDNSSEC 1.4.10.
>
> We have been able to reproduce the problem today. The offending sequence
> of events is:
>
> - ods-signer retransfer (do an AXFR)
> - Perform a resalt
>
> NSEC3PARAM record gets a special treatment during XFR since it is
> generated by OpenDNSSEC and it is not expected from the input zone. When
> processing changes after a AXFR the NSEC3PARAM record is skipped. This
> however causes any existing NSEC3PARAM record marked as 'added'.
>
> Later in the NSEC3 generate stage this causes the existing record to
> stay in the zone. Triggering your case.
>
> I do have a patch that works but we still have to evaluate if it is
> entirely correct.
Thanks, that's good news. Sorry I went sort of quiet after my
initial message.
Regards,
- Håvard
More information about the Opendnssec-user
mailing list