Hi, I just had the misfortune of experiencing OpenDNSSEC emit zones which were malformed related to NSEC3.
I have a script which on our public distribution master (which is just downstream of OpenDNSSEC) which checks zones for DNSSEC consistency, and this evening it suddenly flagged this same problem for a largish number of zones. Running "ldns-verify-zone -V 2" on the copy of the zone file resulted in: Error: Bogus DNSSEC signature for uninett.no. NSEC3PARAM There were errors in the zone and running BIND's dnssec-verify on the zone results in a large ream of messages, some of which are No correct RSASHA256 signature for uninett.no NSEC3PARAM Missing NSEC3 record for uninett.no (0A3GIVR501P8JRGSHTNNEJPE7B4TAL6S.uninett.no) Missing NSEC3 record for 6etg-landskap-sw.uninett.no (ANBEOTL2U7EG7OC0B9T1AO66L1K99P55.uninett.no) Missing NSEC3 record for _original-serial.uninett.no (883NRS6S8UQ6HD0JH4GORS1557P10PSH.uninett.no) ... Missing NSEC3 record for zino.uninett.no (S1NO4RE0NMDCL99IG2VOD6PHSK0TH5SV.uninett.no) Expected and found NSEC3 chains not equal Break in NSEC3 chain at: 0MUSUIT1FJV4V39O42NVI078P60KQ2RV Expected: 0NC9UMP6FIAJVDB6GSSJO45MCH0TJLE3 Found: 0S6OOOD7J6JB1ID779G5OBUDM330UI2H Break in NSEC3 chain at: 0S6OOOD7J6JB1ID779G5OBUDM330UI2H Expected: 0SD02H0M8OH2GMG91BQODJQH7RHB76K1 Found: 0UMI9EQVLJ4S92QSQBGQK2VJI6CE1VQ3 Break in NSEC3 chain at: 0UMI9EQVLJ4S92QSQBGQK2VJI6CE1VQ3 Expected: 0UMT16216AHUQF0G4ASM4CKFOEOFQQBL Found: 1AS9JVDUK936DH23D9IJO44C9AD3IJST ... It seems that out of the 378 zones we have in our setup, some 252 of those zones suddenly had developed this disease. I took a copy of the tmp/ directory in OpenDNSSEC (and then removed the files there), and have a copy of the "bad" zones which came out at the other end if someone wants to take a look at it to possibly find out how this could happen. Regards, - HÃ¥vard _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
