[Opendnssec-user] NSEC3 resalting again

Havard Eidnes he at uninett.no
Fri Jan 13 15:44:46 UTC 2017

>>> it looks like the earlier problem I've had with a failure to remove
>>> the old NSEC3PARAM resource records in a re-salt event is back again,
>>> this time with OpenDNSSEC 1.4.10.
>> We have been able to reproduce the problem today. The offending sequence
>> of events is:
>> - ods-signer retransfer  (do an AXFR)
>> - Perform a resalt
>> NSEC3PARAM record gets a special treatment during XFR since it is
>> generated by OpenDNSSEC and it is not expected from the input zone. When
>> processing changes after a AXFR the NSEC3PARAM record is skipped. This
>> however causes any existing NSEC3PARAM record marked as 'added'.
>> Later in the NSEC3 generate stage this causes the existing record to
>> stay in the zone. Triggering your case.
>> I do have a patch that works but we still have to evaluate if it is
>> entirely correct.
> Thanks, that's good news.

Any additional news on this?  Is there perhaps now a patch I can
apply on top of 1.4.12?


- Håvard

More information about the Opendnssec-user mailing list