Here is a master server BIND 9.7.1-P2 (with patches for PKCS#11 and the AEP keyper HSM), with DNSSEC enabled, dynamically signing records. Most of the time, the typical NSEC3 looks like ('dig +dnssec @a.nic.fr A www.toto.fr' if you want to see it):
meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400 IN NSEC3 1 1 1 BADFE11A O5SMCS6CUNUQC5RFJ6S94TGGRFH1TVC7 NS SOA TXT NAPTR RRSIG DNSKEY NSEC3PARAM The list of NS records is sound. But from time to time, we see BIND producing strange NSEC3 records like: meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400 IN NSEC3 1 1 1 BADFE11A O5SMCS6CUNUQC5RFJ6S94TGGRFH1TVC7 NS SOA TXT NAPTR RRSIG DNSKEY NSEC3PARAM TYPE65534 Note the TYPE65534, which I cannot explain. Greping bind-users archives, or googling, reveal that other persons saw them but I did not find a final explanation. When this happens, the signature: meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400 IN RRSIG NSEC3 8 2 5400 20110408081500 20110207081500 2331 fr. OFDRwZAgzDT1y8fTJ1XCfHlajEAHzqk2dsJaCR1TSednnBSEkctIUP6AsZuD+EOZtEPCM2Oe3cI/fG2GfA1nAUDaS1INN3I6YRpB3n2/oCfKBvs68fvCexBOIgz+oc74VrPvjDtPkVyGbJ5ImSlwu8Uc8rTXKh47CdS0AdJLmso= is flagged as invalid by a BIND ('meqimi6fje5ni47pjahv5qigu1lv3jlj.fr NSEC3: no valid signature found') or an Unbound resolver ('debug: verify: signature mismatch'). I fancy that the spurious TYPE65534 may have been added after the signing. The problem occurred twice <http://operations.afnic.fr/en/2011/02/12/dnssec-validating-resolving-issue.html> and, at least in the second case, it was when updating a DNSKEY record (an old ZSK was retired). _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users