[dns-operations] Stale NSEC3 records
Alexander Gall
gall at switch.ch
Tue Sep 22 13:36:15 UTC 2009
On Tue, 22 Sep 2009 10:40:47 +0200, Alexander Gall <gall at switch.ch> said:
> AFAICT, it should be the signer's job to remove such stale NSEC3
> records. This should be easy because it needs to hash the entire zone
> in any case (e.g. mark all NSEC3 upon reading the zone, remove the
> marker for those whose original owner name exists, remove all those
> still marked while dumping the new zone). A workaround would be to
> simply remove all NSEC3 records before passing the zone to the signer
> while keeping the RRSIGs. However, the signer also happily keeps
> RRSIGs whose associated RRsets don't exist, so we'd have to filter
> those out as well in the end.
After peeking at the code, it appears that this should be accomplished
by dnssec-signzone:nsec3clean() but doesn't work. This really belongs
on bind-bugs, but I'm curious if other people using NSEC3 have seen
this.
--
Alex
More information about the dns-operations
mailing list