[dns-operations] Stale NSEC3 records

Mark Andrews marka at isc.org
Tue Sep 22 21:58:32 UTC 2009

In message <19128.53967.329293.271636 at hadron.switch.ch>, Alexander Gall writes:
> On Tue, 22 Sep 2009 10:40:47 +0200, Alexander Gall <gall at switch.ch> said:
> > AFAICT, it should be the signer's job to remove such stale NSEC3
> > records.  This should be easy because it needs to hash the entire zone
> > in any case (e.g. mark all NSEC3 upon reading the zone, remove the
> > marker for those whose original owner name exists, remove all those
> > still marked while dumping the new zone).  A workaround would be to
> > simply remove all NSEC3 records before passing the zone to the signer
> > while keeping the RRSIGs.  However, the signer also happily keeps
> > RRSIGs whose associated RRsets don't exist, so we'd have to filter
> > those out as well in the end.
> After peeking at the code, it appears that this should be accomplished
> by dnssec-signzone:nsec3clean() but doesn't work.  This really belongs
> on bind-bugs, but I'm curious if other people using NSEC3 have seen
> this.

We already had a fix under review for this.
> -- 
> Alex
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list