From pemensik at redhat.com Fri Aug 18 19:33:59 2017 From: pemensik at redhat.com (=?UTF-8?B?UGV0ciBNZW7FocOtaw==?=) Date: Fri, 18 Aug 2017 21:33:59 +0200 Subject: [Dnssec-trigger] [PATCH] error no NSEC3 in nodata reply: kr.com always fails to validate Message-ID: <8568bbb4-8ae8-1486-fc9a-7e9569e827b2@redhat.com> Hi, I am getting sometime errors in dnssec-trigger-control status cache : error no NSEC3 in nodata reply But strange was it shows only some time. Even stranger is that reprobe fixes it usually. I found that kr.com is no longer validating at all. _probe.kr.com. is included in NSEC probes. It always fails if picked for test. It is used only with 25% propability, so unbound usually picked second forwarder but worked anyway. I would replace it with something else, but have no clue how were current values picked. Were that values picked at random? Second patch just updates root servers IP adresses. I have created also pull request to simplify integration. https://github.com/NLnetLabs/dnssec-trigger/pull/1 And also Fedora bug for it: https://bugzilla.redhat.com/show_bug.cgi?id=1482939 Regards, Petr -- Petr Men??k Software Engineer Red Hat, http://www.redhat.com/ email: pemensik at redhat.com PGP: 65C6C973 -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Remove-kr.com-because-of-DNSSEC-failures.patch Type: text/x-patch Size: 874 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Update-root-servers-IPs.patch Type: text/x-patch Size: 1410 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From wouter at nlnetlabs.nl Tue Aug 22 11:50:28 2017 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Tue, 22 Aug 2017 13:50:28 +0200 Subject: [Dnssec-trigger] [PATCH] error no NSEC3 in nodata reply: kr.com always fails to validate In-Reply-To: <8568bbb4-8ae8-1486-fc9a-7e9569e827b2@redhat.com> References: <8568bbb4-8ae8-1486-fc9a-7e9569e827b2@redhat.com> Message-ID: <42a03e8a-a776-f2cf-0d10-d5c5f267bbd8@nlnetlabs.nl> Hi Petr, Thank you for the patches. I have replaced kr.com with uk.uk, that seems to give an NSEC3 NXDOMAIN reply (from .uk). And I have incorporated the root server list update. Best regards, Wouter On 18/08/17 21:33, Petr Men??k wrote: > Hi, > > I am getting sometime errors in dnssec-trigger-control status > > cache : error no NSEC3 in nodata reply > > But strange was it shows only some time. Even stranger is that reprobe > fixes it usually. > > I found that kr.com is no longer validating at all. _probe.kr.com. is > included in NSEC probes. It always fails if picked for test. It is used > only with 25% propability, so unbound usually picked second forwarder > but worked anyway. > > I would replace it with something else, but have no clue how were > current values picked. Were that values picked at random? > > Second patch just updates root servers IP adresses. > > I have created also pull request to simplify integration. > https://github.com/NLnetLabs/dnssec-trigger/pull/1 > > And also Fedora bug for it: > https://bugzilla.redhat.com/show_bug.cgi?id=1482939 > > Regards, > Petr > > > > _______________________________________________ > dnssec-trigger mailing list > dnssec-trigger at NLnetLabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: