[nsd-users] wrong NSEC3 responses

Klaus Darilion klaus.darilion at nic.at
Wed Aug 17 08:42:02 UTC 2022 

Hello!

We noticed that some of our NSD 4.3.5 secondaries answered with incomplete NSEC3 RRs for NOERROR/NODATA queries. See below. We could fix the issue by restarting NSD, or by "force_transfer" the zone. I see there are some NSEC3 related changes since 4.3.5, but the commit messages do not fit our problems. Hence, have you heard about this problem? Shall we further debug/watch the issue, or shall we just upgrade to 4.6 to get all NSEC3 fixes.

Thanks
Klaus


BAD RESPONSE
# dig +nsid +dnssec @194.0.25.31 +nocrypto DS gov.cy
;; AUTHORITY SECTION:
cy.                     7200    IN      SOA     cynic6.dns.cy. cydns.ucy.ac.cy. 2022081701 10800 3600 1209600 86400
cy.                     7200    IN      RRSIG   SOA 13 1 7200 20220915210502 20220816200502 60430 cy. [omitted]
980985v4suav2r0hjg81890lr96e1ft9.cy. 86400 IN NSEC3 1 1 0 - 9EANNQLG89O84OKJKCC7TMU6CNQ4TOKD NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
980985v4suav2r0hjg81890lr96e1ft9.cy. 86400 IN RRSIG NSEC3 13 2 86400 20220828231753 20220729222906 60430 cy. [omitted]


# nsd-control force_transfer cy
ok


GOOD RESPONSE
# dig +nsid +dnssec @194.0.25.31 +nocrypto DS gov.cy
;; AUTHORITY SECTION:
cy.                     7200    IN      SOA     cynic6.dns.cy. cydns.ucy.ac.cy. 2022081701 10800 3600 1209600 86400
cy.                     7200    IN      RRSIG   SOA 13 1 7200 20220915210502 20220816200502 60430 cy. [omitted]
980985v4suav2r0hjg81890lr96e1ft9.cy. 86400 IN NSEC3 1 1 0 - 9EANNQLG89O84OKJKCC7TMU6CNQ4TOKD NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
980985v4suav2r0hjg81890lr96e1ft9.cy. 86400 IN RRSIG NSEC3 13 2 86400 20220828231753 20220729222906 60430 cy. [omitted]
lr3v6n8m71q3kvpso42ovbs4nlh19t84.cy. 86400 IN NSEC3 1 1 0 - N13RLJ1KN8RB464M31T1HD30E2A77BCB NS DS RRSIG
lr3v6n8m71q3kvpso42ovbs4nlh19t84.cy. 86400 IN RRSIG NSEC3 13 2 86400 20220828163430 20220729153831 60430 cy. [omitted]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20220817/2752e4b6/attachment.htm>

More information about the nsd-users mailing list