[dns-operations] Stale NSEC3 records

Alexander Gall gall at switch.ch
Tue Sep 22 13:36:15 UTC 2009

On Tue, 22 Sep 2009 10:40:47 +0200, Alexander Gall <gall at switch.ch> said:

> AFAICT, it should be the signer's job to remove such stale NSEC3
> records.  This should be easy because it needs to hash the entire zone
> in any case (e.g. mark all NSEC3 upon reading the zone, remove the
> marker for those whose original owner name exists, remove all those
> still marked while dumping the new zone).  A workaround would be to
> simply remove all NSEC3 records before passing the zone to the signer
> while keeping the RRSIGs.  However, the signer also happily keeps
> RRSIGs whose associated RRsets don't exist, so we'd have to filter
> those out as well in the end.

After peeking at the code, it appears that this should be accomplished
by dnssec-signzone:nsec3clean() but doesn't work.  This really belongs
on bind-bugs, but I'm curious if other people using NSEC3 have seen


More information about the dns-operations mailing list