On Mon, 2 Jan 2012, Miek Gieben wrote:
Google doesn't give much information about this
message in recent bind versions, other than that
it could be because of stale NSEC3 records.
But our signing process seems fine, and all
signatures are current.
Maybe the bind-user list is a better place to ask?
I think what bind logs is just what it says: it is expecting
that something does not exist, but it is seeing a matching
nsec3, indicating that it came into existence.
Or, maybe bind is clever and it saw an nsec3 that
covers: a -> c, indicating that b does not exist.
Now it gets a new nsec3 (b -> c), that shouldn't
exist if you still believe the first nsec3.
This can happens when you have removed a record during rollover.
dnssec-signzone keeps the old DNSKEY signatures for a time period without
really looking at the records (it only fixes the nsec* chains for
the current dnskey).
The latest bind had an option to just always drop the previous dnskey's
NSEC/RRSIGs
Paul
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
