[Dnssec-trigger] A new kind of broken hotspot: RRSIG are OK but NSEC3 are deleted

W.C.A. Wijngaards wouter at NLnetLabs.nl
Thu Oct 27 17:18:51 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Stephane,

On 10/27/2011 09:34 AM, Stephane Bortzmeyer wrote:
> 
> % dnssec-trigger-control status at 2011-10-27 09:26:01 cache
> 192.168.254.2: OK state: cache secure
> 
> But 192.168.254.2 is not OK. It strips NSEC3 records.

Thanks for the report.  Adjusted svn trunk of dnssec-trigger: for caches
it probes "tld. TYPE_NULL" and checks that the answer contains an NSEC3
in the authority section.

If you are still at the hotspot, it should now work (well, probe that it
does *not* work) :-)

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOqZJ7AAoJEJ9vHC1+BF+N5vIP/20BCTmdxj6dJjEsu851HWwW
MqzySxxS47bMHvm1Dbt3fLSmyoMyYUVNLLatq+qYuAM1U6cp9u13I8gZM5U7mrBG
fervUbWwvjBy4tDgKDXyPMZkNSYMtRJfqkiVfxU7A8oHGb2+y+CiUS/In2sOejn/
UL8yI6zDvIKxrV4SlCh4ylkFIOPrAMrU/uWANlumyVBmm1cY7oVM7f0feLovMXOa
gWOuttp/NwLsGYsZ3a3mwZPPGAd2mFi85drU75XqI2DAFoit2cVU8XCT05495lYx
ITDZwDSyOrzscOeeTlPQu8qyJtaN0J+YHNQJvHLbkPCV1eHo786cHFuc4IWMbgmZ
LhNJUH2pgH9mRH3bwmiY9TaPOsawiny8T9YPszjWK4kPZyqQZEDGmBUJjFmtVvyo
GycXsRzQD0uxvJqZ1L7ohXvm0V2e6rdXkcp5LeyfyO/9/FKQ0Drzs0QscVk2ECAO
zwXTvEWVJRNqQS3caWmJLiHrtUZsNIn4pwj12cK7WDgsfHdjB/vQ9F8g3BxVpM+o
MzTIYOb3eFLcv/dTON3SdKNdQX8nZP/h/6Zm0s3F/EJBXnvy0/rF98K9OkM9K3Ho
D7Bir1b7nfiki3Bjk6H5rTDCZ41pbtspcpaNIzPKf3Mq3O1RmU6Iht6u1bvMfIUk
xGl7Xo2h4J0EFBq40NCP
=tuqr
-----END PGP SIGNATURE-----



More information about the dnssec-trigger mailing list