[nsd-users] NSD 3.2.5 not serving NSEC3

W.C.A. Wijngaards wouter at nlnetlabs.nl
Mon Mar 26 13:37:12 CEST 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On 03/26/2012 01:10 PM, Miek Gieben wrote:
> [ Quoting <c.gielen at uvt.nl> in "[nsd-users] NSD 3.2.5 not serving
> N..." ]
>> Hello, I'm converting my setup from NDS 3.0.7 to NSD 3.2.5. It
>> seems like NSD3.2.5 does not server NSEC3 records. I've got a
>> hidden master and two slaves. The master and one slave run
>> NSD3.2.5, the other slave still runs 3.0.7. NSEC3 queries work
>> for the old slave, but fail on the master and the new slave.
>> 
>> The slaves are provisioned through XFR.
> 
>> # dig +short  -tANY 7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl.
>> @master.3.2.5 # dig +short  -tANY
>> 7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl. @slave.3.2.5 # dig
>> +short  -tANY 7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl.
>> @slave.3.0.7 1 0 5 3F5B57AEA37819BD
>> 9HGMPSH7HR04DVD5IR8U04F64KIGGE57 NS SOA MX RRSIG DNSKEY
>> NSEC3PARAM NSEC3 8 3 3600 20120331095329 20120324082808 45505
>> mijnuvt.nl.
>> LXAixCSfTI/C+MXAP77cpTXlpZjGu4cDsbGVFyhs7PjytoY7bB75/qIm
>> l6eK67tgSN1yxSc1+A4fp0Fizv/+vTTgxZMTcX4+nAERkYJkWwykLRW8
>> xZD7QBlAeNJ58/LexU02mL/rfPngHScYJLdMRVUIu0O691YmIvEpDLJu ct4=
>> 
>> # proof that the servers are in sync
> 
> I don't know if you have found a bug in NSD, but trying to make a
> point with ANY queries isn't helpful. There isn't a good spec. that
> tells you what ANY should return.

The NSEC3 spec forbids direct queries for NSEC3 records.  You can
query for NSEC3PARAM records.  You can query for nxdomain and see the
NSEC3 records in the reply (+dnssec).

Or perhaps you re-signed the zone and used a different salt?

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPcFToAAoJEJ9vHC1+BF+NdRoQAJd/loOrMi4SkPtTYY05dsKh
QFdNJVsjpjtMmp3IbiUjkRyxefiWFz1fCYFwFdPpyOF0BLI5Nz/yqiFKehCwRx/x
WnEZ1Mr/dRxVG1R3UKKV9mMy5g+wYlrVXQRppHLDe0A4VhQKBr7Oqhb7akce79Du
MdoDaa0iUOm/RmQBQLc490AOgVSyqj6yhnBSJJN1G3gifPo0dB507EyW5PlCIxDL
CeZjgWgJy7nYahJrL0Ln2hqyB+60b2+9Q3FDVXYRSDUcA4PRbRQdWIzJtgDhHik8
SXAF/gr6FexSLivOxIZ/IbKfo6XHFQhJs5ixRwvlY0+vYAdy337Ovytca1+xiqi/
W4YKacTfkajdvgSU1/rvoYBshEgIdzdv0VAe2Pg9JBrXzAGor8giF7d4jVCvkGdZ
cl8pKJApJfjgcfflcmYjXqNH/6diKhOyutsja/R8hRxbzdK2mAQur6LETEdjFU8B
Ih/Z1EqVrgu/dd8CDityZeHF34kfT2y18BXWgpVr1twNo4jxyOUpMF8KTL6JC+EH
Riu+ECt5zUVVyJdw5nEBCZOKZelQueMjp++dKvJx3rJ+Xq/Xe2r4r7+pnuiDU+iB
MTlQAdnYNFhFwkcKqDTd1+Q5XnHJXR+Rf+lzuVH5ic8YsRZ2GMR9r3pZ4gDuAKN/
OtD/QwNRc1F6zObTQpc0
=SW8t
-----END PGP SIGNATURE-----


More information about the nsd-users mailing list