[nsd-users] nsec3 hash collision

Fredrik Pettai pettai at nordu.net
Mon Feb 6 09:09:47 UTC 2017

> On 6 Feb 2017, at 09:40, W.C.A. Wijngaards <wouter at nlnetlabs.nl> wrote:
> Hi Fredrik,
> Change the nsec3 salt at the zone signer for this zone.

The master is a InfoBlox appliance I've heard.

> The sender is sending queries for a nonexist name that hashes (exactly)
> to the same hash as the hash for an existing name in the zone.

Oh, is this possible? This is just a small zone containing ~1200 RRs
(Which leads to the question if it exist any kind of statistics regarding this?)
Looks more like a bug or non-existing or bad verification at the master/signer side

>  This is what NSD logs.  With this printout you can figure out that the short
> NSEC3-string for the query name, and the nsec3 string for one of the
> names in your zone, have the same hash.
> NSD has replied SERVFAIL to that client, since an NSEC3 nonexistance
> proof is impossible.  So, no issues except the log file spam.
> At what verbosity level should I log these messages, you would think?
> Then I'll fix the code for that.

I’m running at verbosity: 2
I have no special requirements regarding the verbosity level.

Would it be wrongly placed if it was moved to verbosity 3?
Perhaps just one notification about hash collision would suffice for verbosity 2?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20170206/43d58914/attachment.bin>

More information about the nsd-users mailing list