[nsd-users] NSD 3.2.18 and wildcard RR problems

W.C.A. Wijngaards wouter at nlnetlabs.nl
Thu Nov 20 08:27:48 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Fredrik,

On 20/11/14 00:04, Fredrik Pettai wrote:
> Hi,
> 
> We've stumbled upon a problem with two zones that are slaved at our
> server running NSD 3.2.18 The zone contains something like this:
> 
> *.foo.bar.nordu.net www.foo.bar.nordu.net
> 
> The RR www.foo.bar.nordu.net doesn't seem to get into the zone at
> the slave (then I look in the zone file dump).

There are fixes in svn for the next 3.2.x release that are about
wildcard addition and removal, caused by the recent wildcard fixes.

> Perhaps related, the nsd.log is containing this stuff too:
> 
> [1416437470] nsd[11647]: warning: prehash: collision of wildcard
> denial for foo.bar.nordu.net.. Sign zone with different salt to
> remove collision.

This issue will remain even if you were to use the patched NSD from
the code repository.  Supposedly, it only depends on the zone and
nsec3 parameters.

> But someone else reported this zone wildcard problem (for the
> non-wildcard RR) for a unsigned zone too…

Yes, you seem to have two problems, the wildcard and this nsec3
collision.  If the nsec3 collision is also a bug in the nsd code, and
not an actual sha1 collision, we should somehow isolate and debug it.
 (probability is on that being a bug).

Best regards,
   Wouter



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUbaYEAAoJEJ9vHC1+BF+NKmcQAJKUUhCpevqyRHIv3YyuWNBu
Sk/YwiiwCj/jFtTaUVh8Ya6+AqnB1N8WAV/mKfewixmcS6RQQjTSJaLn/1qyUX25
iZ+nhJqYDYss8OrjrSzB3hK8f669AVV5Bo+LW53sdRW2TrtKT2ji5jsrxEdA443C
DUX/Eu/nkfPjFbEjQ45KvjwUJDKMRj8D3tKriqQarWfZ3U2MZVHTtwdOROkCVZXO
1eQwZaVehlZhwhfFsc/4aOFhpOXJkR0p6I2Vir+ljNZgYDirO+SuUMv+OCh7FHtf
o2AE145SVgephcKWi67CbJSQRsoZ1dMVkR9sSSiLKxnoqmStdS/2Pf/Prx1XIr5e
0a7eD/d13C/Vhq/SGaUIS2fPeN0tmXuv5OCfyhxfrH6vCnpAmnA5WN3wNXOdHvwl
80vfPsTLQ3HeAPdMARLcpZljKwqsmatH3F6zYzo0rTm+Zpz5rsXDlJ4T06LszE5D
UWAuCZdnSKYKblJ5FXnxeeTLirQ4z70uImLV+XdplxWshqEFA6oHbb5HYEVkqAuj
qswaAewUnqGxrpax1oIZAtt34C0YmWdtN6QwgX9DefUY2iVA5SwdFu4eSYslisgT
j0hkGMCxvmvyU2o7PCrTBlWofFR6YLcNe34Tl1n6UdrSmYEVk+OMPPW349py7Ug4
UbPbAcbCnp+IS6QtZzCo
=enMy
-----END PGP SIGNATURE-----

More information about the nsd-users mailing list