Hello! We noticed that some of our NSD 4.3.5 secondaries answered with incomplete NSEC3 RRs for NOERROR/NODATA queries. See below. We could fix the issue by restarting NSD, or by "force_transfer" the zone. I see there are some NSEC3 related changes since 4.3.5, but the commit messages do not fit our problems. Hence, have you heard about this problem? Shall we further debug/watch the issue, or shall we just upgrade to 4.6 to get all NSEC3 fixes.
Thanks Klaus BAD RESPONSE # dig +nsid +dnssec @194.0.25.31 +nocrypto DS gov.cy ;; AUTHORITY SECTION: cy. 7200 IN SOA cynic6.dns.cy. cydns.ucy.ac.cy. 2022081701 10800 3600 1209600 86400 cy. 7200 IN RRSIG SOA 13 1 7200 20220915210502 20220816200502 60430 cy. [omitted] 980985v4suav2r0hjg81890lr96e1ft9.cy. 86400 IN NSEC3 1 1 0 - 9EANNQLG89O84OKJKCC7TMU6CNQ4TOKD NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534 980985v4suav2r0hjg81890lr96e1ft9.cy. 86400 IN RRSIG NSEC3 13 2 86400 20220828231753 20220729222906 60430 cy. [omitted] # nsd-control force_transfer cy ok GOOD RESPONSE # dig +nsid +dnssec @194.0.25.31 +nocrypto DS gov.cy ;; AUTHORITY SECTION: cy. 7200 IN SOA cynic6.dns.cy. cydns.ucy.ac.cy. 2022081701 10800 3600 1209600 86400 cy. 7200 IN RRSIG SOA 13 1 7200 20220915210502 20220816200502 60430 cy. [omitted] 980985v4suav2r0hjg81890lr96e1ft9.cy. 86400 IN NSEC3 1 1 0 - 9EANNQLG89O84OKJKCC7TMU6CNQ4TOKD NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534 980985v4suav2r0hjg81890lr96e1ft9.cy. 86400 IN RRSIG NSEC3 13 2 86400 20220828231753 20220729222906 60430 cy. [omitted] lr3v6n8m71q3kvpso42ovbs4nlh19t84.cy. 86400 IN NSEC3 1 1 0 - N13RLJ1KN8RB464M31T1HD30E2A77BCB NS DS RRSIG lr3v6n8m71q3kvpso42ovbs4nlh19t84.cy. 86400 IN RRSIG NSEC3 13 2 86400 20220828163430 20220729153831 60430 cy. [omitted]
_______________________________________________ nsd-users mailing list nsd-users@lists.nlnetlabs.nl https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
