[Opendnssec-user] NSEC3 resalting again
Havard Eidnes
he at uninett.no
Fri Jan 13 15:44:46 UTC 2017
>>> it looks like the earlier problem I've had with a failure to remove
>>> the old NSEC3PARAM resource records in a re-salt event is back again,
>>> this time with OpenDNSSEC 1.4.10.
>>
>> We have been able to reproduce the problem today. The offending sequence
>> of events is:
>>
>> - ods-signer retransfer (do an AXFR)
>> - Perform a resalt
>>
>> NSEC3PARAM record gets a special treatment during XFR since it is
>> generated by OpenDNSSEC and it is not expected from the input zone. When
>> processing changes after a AXFR the NSEC3PARAM record is skipped. This
>> however causes any existing NSEC3PARAM record marked as 'added'.
>>
>> Later in the NSEC3 generate stage this causes the existing record to
>> stay in the zone. Triggering your case.
>>
>> I do have a patch that works but we still have to evaluate if it is
>> entirely correct.
>
> Thanks, that's good news.
Any additional news on this? Is there perhaps now a patch I can
apply on top of 1.4.12?
Regards,
- Håvard
More information about the Opendnssec-user
mailing list