[dns-operations] Stale NSEC3 records
Mark Andrews
marka at isc.org
Tue Sep 22 21:58:32 UTC 2009
In message <19128.53967.329293.271636 at hadron.switch.ch>, Alexander Gall writes:
> On Tue, 22 Sep 2009 10:40:47 +0200, Alexander Gall <gall at switch.ch> said:
>
> > AFAICT, it should be the signer's job to remove such stale NSEC3
> > records. This should be easy because it needs to hash the entire zone
> > in any case (e.g. mark all NSEC3 upon reading the zone, remove the
> > marker for those whose original owner name exists, remove all those
> > still marked while dumping the new zone). A workaround would be to
> > simply remove all NSEC3 records before passing the zone to the signer
> > while keeping the RRSIGs. However, the signer also happily keeps
> > RRSIGs whose associated RRsets don't exist, so we'd have to filter
> > those out as well in the end.
>
> After peeking at the code, it appears that this should be accomplished
> by dnssec-signzone:nsec3clean() but doesn't work. This really belongs
> on bind-bugs, but I'm curious if other people using NSEC3 have seen
> this.
We already had a fix under review for this.
> --
> Alex
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list