[Dnssec-trigger] [PATCH] error no NSEC3 in nodata reply: kr.com always fails to validate

W.C.A. Wijngaards wouter at nlnetlabs.nl
Tue Aug 22 11:50:28 UTC 2017


Hi Petr,

Thank you for the patches.  I have replaced kr.com with uk.uk, that
seems to give an NSEC3 NXDOMAIN reply (from .uk).  And I have
incorporated the root server list update.

Best regards, Wouter

On 18/08/17 21:33, Petr Menšík wrote:
> Hi,
> 
> I am getting sometime errors in dnssec-trigger-control status
> 
> cache <fwdip>: error no NSEC3 in nodata reply
> 
> But strange was it shows only some time. Even stranger is that reprobe
> fixes it usually.
> 
> I found that kr.com is no longer validating at all. _probe.kr.com. is
> included in NSEC probes. It always fails if picked for test. It is used
> only with 25% propability, so unbound usually picked second forwarder
> but worked anyway.
> 
> I would replace it with something else, but have no clue how were
> current values picked. Were that values picked at random?
> 
> Second patch just updates root servers IP adresses.
> 
> I have created also pull request to simplify integration.
> https://github.com/NLnetLabs/dnssec-trigger/pull/1
> 
> And also Fedora bug for it:
> https://bugzilla.redhat.com/show_bug.cgi?id=1482939
> 
> Regards,
> Petr
> 
> 
> 
> _______________________________________________
> dnssec-trigger mailing list
> dnssec-trigger at NLnetLabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20170822/7ec971dc/attachment.bin>


More information about the dnssec-trigger mailing list