[Unbound-users] no NSEC3 closest encloser
wouter at nlnetlabs.nl
Fri Aug 1 07:08:43 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 07/31/2014 05:18 PM, shmick at riseup.net wrote:
> TXT IN>: no NSEC3 closest encloser from 127.0.0.1 for DS
> could i have some advice about this concerning my domain and what
> it could potentially mean ?
Unbound received an invalid DNSSEC packet from the authority server.
It is missing an NSEC3 record (it indicates which one).
> i recently signed my zone with a different algorithm; now signing
> zone with NSEC3RSASHA1 i receive this error
I guess something went wrong with new signed zone and that NSEC3 RR is
missing from the zone, or, your authority server software fails to
include that NSEC3 RR in the response. Since the authority server
software used to work previously, I would guess the signer is at
fault, given you said you were working with that.
If you run unbound (or unbound-host) with verbosity 4 (with
unbound-host -dddd) then it prints out the packet that it receives in
a dig-style output format; that is exactly the packet that is the error.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Unbound-users