Hi, I have a small problem with opendnssec. Signing/auditing a zone with empty non-terminals with NSEC3 would fail with:
Jul 9 10:28:34 DNStest ods-auditor[20965]: Auditor started Jul 9 10:28:34 DNStest ods-auditor[20965]: Auditor starting on test1234.si Jul 9 10:28:34 DNStest ods-auditor[20965]: Auditing test1234.si zone : NSEC3 SIGNED Jul 9 10:28:34 DNStest ods-auditor[20965]: Found NSEC3 record for hashed domain which couldn't be found in the zone (cg85dnhpaim1i60vs63tuhhemt20fe5r.test1234.si) Jul 9 10:28:34 DNStest ods-auditor[20965]: Can't find NSEC3 for empty nonterminal z.test1234.si (should be fc1hjftfeg9gfjj50gtc7gilpiocip1u.test1234.si) Jul 9 10:28:34 DNStest ods-auditor[20965]: Finished auditing test1234.si zone Jul 9 10:28:34 DNStest ods-signerd: Auditor result: 3 The zone is: # dig axfr test1234.si @kanin ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> axfr test1234.si @kanin ;; global options: printcmd test1234.si. 21600 IN SOA kanin.arnes.si. hostmaster.arnes.si. 2010070900 28800 7200 3600000 21600 test1234.si. 172800 IN TXT "v=spf1 a mx ip4:193.2.1.74 ?all" test1234.si. 172800 IN NS kanin.arnes.si. test1234.si. 172800 IN NS nanos.arnes.si. test1234.si. 172800 IN MX 10 avs1.arnes.si. test1234.si. 172800 IN MX 10 avs2.arnes.si. test1234.si. 172800 IN MX 10 avs3.arnes.si. x.y.z.test1234.si. 172800 IN A 193.2.1.87 test1234.si. 21600 IN SOA kanin.arnes.si. hostmaster.arnes.si. 2010070900 28800 7200 3600000 21600 It works if records z.test1234.si and y.z.test1234.si exist. Benjamin Zwittnig, Arnes _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
