[dns-operations] NSEC3PARAM change strange behaviour
Misak Khachatryan
kmisak at gmail.com
Wed Oct 11 15:32:28 UTC 2023
Hello,
I'm maintaining a rather big DNS zone - around 2.5 Megabytes in ASCII
format, more than 40k records overall.
Authoritative server software is Bind. NSEC3PARAM in dnssec-policy was
defined as:
nsec3param optout yes salt-length 24;
Today i decided to change it to:
nsec3param optout yes;
which according to defaults for my Bind version expands to:
nsec3param iterations 5 optout yes salt-length 8;
After issuing rndc reconfig for around 3 minutes my monitoring went crazy,
sending notifications about dnssec errors, but checking the zone with
DNSViz and DNSSEC Analyzer reporting that everything is normal. Using dig
@server zone NSEC3PARAM at problematic time server didn't return NSEC3PARAM
record, reporting it as missing.
Three minutes later everything went normal. In the Bind log I see several
zone transfers to slaves around every second. I presume that such a big
zone can't be transferred in one part, which causes this behavior.
My question to other maintainers of big zones - do you have such
experience, and what is the correct way to update NSEC3 parameters in order
to have a smooth transition?
Best regards,
Misak Khachatryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20231011/a7cf8506/attachment.html>
More information about the dns-operations
mailing list