-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Mathieu,
That are indeed a lot of NSEC3 records. Could you share with me the kasp.xml file you are using for this zone (off list if you like)? Best regards, Matthijs On 07/07/2010 03:36 PM, Mathieu Arnold wrote: > Today, I upgraded from 1.0 to 1.1, and, it kinda worked ok, for most of > the zones I sign, but now, for some, I have problems. > > The simplest zone I have problems with is the following : > > # cat d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa > $TTL 1d > @ IN SOA ns1.absolight.net. > root.absolight.com. ( > 2010030500 ;serial > 86400 ; refresh 24 hour > 3600 ; retry 1 hour > 604800 ; expire 7 days > 1H ; TTL 1 hour > ) > IN NS ns1.absolight.net. > IN NS ns2.absolight.net. > IN NS ns3.absolight.net. > IN NS ns4.absolight.net. > IN TXT "$Abso: > d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa,v 1644124c9d58 2010/03/05 13:03:53 mat $" > > 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR > 6to4.th2.absolight.net. > > which is quite simple. > > Now, when I try to sign it, it just goes bad. > > # /usr/local/bin/ods-auditor -c /usr/local/etc/opendnssec/conf.xml -s > /usr/local/var/opendnssec/tmp/d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa.finalized -z > d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa > Auditor started > Auditor starting on d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa > 6: Auditing d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa zone : NSEC3 SIGNED > 4: Found NSEC3 record for hashed domain which couldn't be found in the zone > (00cdvvl050g9up4icqk4op0ikf7g0gig.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 4: Found NSEC3 record for hashed domain which couldn't be found in the zone > (1o1mgf2ec6k5kjksm4h189q6af2j0ena.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 4: Found NSEC3 record for hashed domain which couldn't be found in the zone > (2gs3mlhpebvslofog6b2n6tdn0d33f4l.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 4: Found NSEC3 record for hashed domain which couldn't be found in the zone > (4eau1e79pg4rnrn85eeuvv8js6rin18u.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 4: Found NSEC3 record for hashed domain which couldn't be found in the zone > (5s1fupjlaa2vojnva38imcl75rgj1hg4.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 4: Found NSEC3 record for hashed domain which couldn't be found in the zone > (7ff055a0tl6od6bbnbbpqj7cncqvkv4n.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 4: Found NSEC3 record for hashed domain which couldn't be found in the zone > (8viqg0jshvor9g4bt4rig9vn5ged98kj.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 4: Found NSEC3 record for hashed domain which couldn't be found in the zone > (bb656qcv2gapph8ommteu7kvk9lmnb0d.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 4: Found NSEC3 record for hashed domain which couldn't be found in the zone > (gg6flu8onjo3ogrgqbirjtb5tat5pqcg.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa > (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa > (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa > (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa > (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa > (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa > (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa > (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa > (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa > (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa > (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa > (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa > (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa > (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa > (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa > (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa > (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa > (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 3: Can't find NSEC3 for empty nonterminal 0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa > (should be ghm98145n1p18oag963debu6k4qf5999.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 3: ERROR : expected at d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa > (hcioin8r04jq695qu8k0r24l1m21sri8.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) but found > DNSKEY NS NSEC3PARAM RRSIG SOA TXT > 4: Found NSEC3 record for hashed domain which couldn't be found in the zone > (i5s1j8knoj8v9heecb26mgo5rvmea0nj.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 4: Found NSEC3 record for hashed domain which couldn't be found in the zone > (j80tg96tv6n63ol3j9s3haphvjgsurt3.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 4: Found NSEC3 record for hashed domain which couldn't be found in the zone > (jjpc0ru5lfeveqo5fv2nekfnrjr8p8lq.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 4: Found NSEC3 record for hashed domain which couldn't be found in the zone > (nqcesslkhac47vlmhu1s8dhr4bsa9tet.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 4: Found NSEC3 record for hashed domain which couldn't be found in the zone > (q2mie3a9ushbdbk4itlp6vj8vcckg54g.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 4: Found NSEC3 record for hashed domain which couldn't be found in the zone > (qerso7o14hqe3hp1i58ne8lkd49o332f.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa) > 6: Finished auditing d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa zone > > I don't really understand, but I think that it generates NSEC3 records for > way too much things. > > Attached are the temp files. > > > > > _______________________________________________ > Opendnssec-user mailing list > Opendnssec-user@lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMPYenAAoJEA8yVCPsQCW5mEkH/3PdxmyqJXPAM6sCR+u3NQAx t+jL8Rvh985BAiZW3vHpN5xRo6aWhEva227Ey+6kZXEwgral2jocZL4SCmHWSpUY eSf8Ri5xmZiDeZUxBESHxtmSJdSEAFQs2Va7/rm9a5XAoJiC0Qko8PCYy11clpWV x5ijZ0XTYOfB/rBu7AVst+YIiXhQzAlkEIm/MCzgwhTcIKWXpfGGyRDlEDdUE9Mc QmRmWf/Z0smYaMUrGfGlIZX+0aNEwV3FWem/UQgQM8YGUgna2n45A+cpH3y74nwG d5vgAx8pXdNigEySBTjoxuMNN39xq/+UGd8QFuAv8Mt0pNnMHBlL2VvDlW9I6HI= =sAOU -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
