[nsd-users] NSD 3.2.5 not serving NSEC3

Casper Gielen c.gielen at uvt.nl
Mon Mar 26 09:45:16 UTC 2012


Hello,
I'm converting my setup from NDS 3.0.7 to NSD 3.2.5. It seems like NSD3.2.5 does not server NSEC3 records.
I've got a hidden master and two slaves. The master and one slave run NSD3.2.5, the other slave still runs 3.0.7.
NSEC3 queries work for the old slave, but fail on the master and the new slave.

The slaves are provisioned through XFR.


# first find an NSEC3 record on the master:

# grep NSEC3 mijnuvt.nl |head -n 4
mijnuvt.nl.     3600    IN      NSEC3PARAM      1 0 5 3f5b57aea37819bd 
mijnuvt.nl.     3600    IN      RRSIG   NSEC3PARAM 8 2 3600 20120402093126 20120325235926 45505 mijnuvt.nl. h/Fe0oZS/+QpdtscqReJ0gXOSahv1qnFGmYANdh0KytVrCACnThLos556jkjmjw+cHlk5QH/Gf6m6YRJuxKsNXQHQoWkfBAGCH/Gz1zRkimrQcxPKAYKtqpocWN8KbNrb4oZuptjrrvZzNwG0KuPBOcswK88qBJpU/V/g3uXbvY=
7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl.    3600    IN      NSEC3   1 0 5 3f5b57aea37819bd  9hgmpsh7hr04dvd5ir8u04f64kigge57 NS SOA MX RRSIG DNSKEY NSEC3PARAM 
7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl.    3600    IN      RRSIG   NSEC3 8 3 3600 20120331095329 20120324082808 45505 mijnuvt.nl. LXAixCSfTI/C+MXAP77cpTXlpZjGu4cDsbGVFyhs7PjytoY7bB75/qIml6eK67tgSN1yxSc1+A4fp0Fizv/+vTTgxZMTcX4+nAERkYJkWwykLRW8xZD7QBlAeNJ58/LexU02mL/rfPngHScYJLdMRVUIu0O691YmIvEpDLJuct4=


# dig +short  -tANY 7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl. @master.3.2.5
# dig +short  -tANY 7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl. @slave.3.2.5
# dig +short  -tANY 7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl. @slave.3.0.7
1 0 5 3F5B57AEA37819BD 9HGMPSH7HR04DVD5IR8U04F64KIGGE57 NS SOA MX RRSIG DNSKEY NSEC3PARAM
NSEC3 8 3 3600 20120331095329 20120324082808 45505 mijnuvt.nl. LXAixCSfTI/C+MXAP77cpTXlpZjGu4cDsbGVFyhs7PjytoY7bB75/qIm l6eK67tgSN1yxSc1+A4fp0Fizv/+vTTgxZMTcX4+nAERkYJkWwykLRW8 xZD7QBlAeNJ58/LexU02mL/rfPngHScYJLdMRVUIu0O691YmIvEpDLJu ct4=

# proof that the servers are in sync
# dig +short +dnssec -tSOA  mijnuvt.nl @master.3.2.5
ns1.uvt.nl. hostmaster.uvt.nl. 2012032601 28800 14400 604800 3600
SOA 8 2 3600 20120401174722 20120326015928 45505 mijnuvt.nl. KSqhqKleUdxOTVoSoaMvyjlJmQbMama1SzlMgos8D3zXGhk2L8vRz7Cd beXIK16ItwqfNarJGkBF//FX4Gcqh/hqR+dZwAcaIbuEerLH5dZFspUu 87PF37Xx7lspd9EqLcg05lUiSNdJyv5zs7ZLTUiBjRE7Vxmvtn2zOaNN yyQ=
# dig +short +dnssec -tSOA  mijnuvt.nl @slave.3.2.5   
ns1.uvt.nl. hostmaster.uvt.nl. 2012032601 28800 14400 604800 3600
SOA 8 2 3600 20120401174722 20120326015928 45505 mijnuvt.nl. KSqhqKleUdxOTVoSoaMvyjlJmQbMama1SzlMgos8D3zXGhk2L8vRz7Cd beXIK16ItwqfNarJGkBF//FX4Gcqh/hqR+dZwAcaIbuEerLH5dZFspUu 87PF37Xx7lspd9EqLcg05lUiSNdJyv5zs7ZLTUiBjRE7Vxmvtn2zOaNN yyQ=
# dig +short +dnssec -tSOA  mijnuvt.nl @slave.3.0.7
ns1.uvt.nl. hostmaster.uvt.nl. 2012032601 28800 14400 604800 3600
SOA 8 2 3600 20120401174722 20120326015928 45505 mijnuvt.nl. KSqhqKleUdxOTVoSoaMvyjlJmQbMama1SzlMgos8D3zXGhk2L8vRz7Cd beXIK16ItwqfNarJGkBF//FX4Gcqh/hqR+dZwAcaIbuEerLH5dZFspUu 87PF37Xx7lspd9EqLcg05lUiSNdJyv5zs7ZLTUiBjRE7Vxmvtn2zOaNN yyQ=

I noticed that NSEC3 is not officially supported in 3.0.7 so it is
odd that this system does show the records and not the newer systems.
Is this a bug or do I misunderstand NSEC3 ?

-- 
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20120326/d75f9baf/attachment.bin>


More information about the nsd-users mailing list