[Dnssec-trigger] [PATCH] error no NSEC3 in nodata reply: kr.com always fails to validate

Petr Menšík pemensik at redhat.com
Fri Aug 18 19:33:59 UTC 2017


Hi,

I am getting sometime errors in dnssec-trigger-control status

cache <fwdip>: error no NSEC3 in nodata reply

But strange was it shows only some time. Even stranger is that reprobe
fixes it usually.

I found that kr.com is no longer validating at all. _probe.kr.com. is
included in NSEC probes. It always fails if picked for test. It is used
only with 25% propability, so unbound usually picked second forwarder
but worked anyway.

I would replace it with something else, but have no clue how were
current values picked. Were that values picked at random?

Second patch just updates root servers IP adresses.

I have created also pull request to simplify integration.
https://github.com/NLnetLabs/dnssec-trigger/pull/1

And also Fedora bug for it:
https://bugzilla.redhat.com/show_bug.cgi?id=1482939

Regards,
Petr
-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com  PGP: 65C6C973
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Remove-kr.com-because-of-DNSSEC-failures.patch
Type: text/x-patch
Size: 874 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20170818/9558bb01/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Update-root-servers-IPs.patch
Type: text/x-patch
Size: 1410 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20170818/9558bb01/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20170818/9558bb01/attachment-0002.bin>


More information about the dnssec-trigger mailing list