thr3ads.net - nsd users - [nsd-users] NSD 3.2.5 not serving NSEC3 [Mar 2012]

If this information is useful, please help other people find it:
Share via:

Casper Gielen

2012-Mar-26 09:45 UTC

[nsd-users] NSD 3.2.5 not serving NSEC3

Hello,
I'm converting my setup from NDS 3.0.7 to NSD 3.2.5. It seems like NSD3.2.5
does not server NSEC3 records.
I've got a hidden master and two slaves. The master and one slave run
NSD3.2.5, the other slave still runs 3.0.7.
NSEC3 queries work for the old slave, but fail on the master and the new slave.

The slaves are provisioned through XFR.


# first find an NSEC3 record on the master:

# grep NSEC3 mijnuvt.nl |head -n 4
mijnuvt.nl.     3600    IN      NSEC3PARAM      1 0 5 3f5b57aea37819bd 
mijnuvt.nl.     3600    IN      RRSIG   NSEC3PARAM 8 2 3600 20120402093126
20120325235926 45505 mijnuvt.nl.
h/Fe0oZS/+QpdtscqReJ0gXOSahv1qnFGmYANdh0KytVrCACnThLos556jkjmjw+cHlk5QH/Gf6m6YRJuxKsNXQHQoWkfBAGCH/Gz1zRkimrQcxPKAYKtqpocWN8KbNrb4oZuptjrrvZzNwG0KuPBOcswK88qBJpU/V/g3uXbvY7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl.
3600    IN      NSEC3   1 0 5 3f5b57aea37819bd  9hgmpsh7hr04dvd5ir8u04f64kigge57
NS SOA MX RRSIG DNSKEY NSEC3PARAM
7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl.    3600    IN      RRSIG   NSEC3 8
3 3600 20120331095329 20120324082808 45505 mijnuvt.nl.
LXAixCSfTI/C+MXAP77cpTXlpZjGu4cDsbGVFyhs7PjytoY7bB75/qIml6eK67tgSN1yxSc1+A4fp0Fizv/+vTTgxZMTcX4+nAERkYJkWwykLRW8xZD7QBlAeNJ58/LexU02mL/rfPngHScYJLdMRVUIu0O691YmIvEpDLJuct4

# dig +short  -tANY 7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl. @master.3.2.5
# dig +short  -tANY 7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl. @slave.3.2.5
# dig +short  -tANY 7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl. @slave.3.0.7
1 0 5 3F5B57AEA37819BD 9HGMPSH7HR04DVD5IR8U04F64KIGGE57 NS SOA MX RRSIG DNSKEY
NSEC3PARAM
NSEC3 8 3 3600 20120331095329 20120324082808 45505 mijnuvt.nl.
LXAixCSfTI/C+MXAP77cpTXlpZjGu4cDsbGVFyhs7PjytoY7bB75/qIm
l6eK67tgSN1yxSc1+A4fp0Fizv/+vTTgxZMTcX4+nAERkYJkWwykLRW8
xZD7QBlAeNJ58/LexU02mL/rfPngHScYJLdMRVUIu0O691YmIvEpDLJu ct4
# proof that the servers are in sync
# dig +short +dnssec -tSOA  mijnuvt.nl @master.3.2.5
ns1.uvt.nl. hostmaster.uvt.nl. 2012032601 28800 14400 604800 3600
SOA 8 2 3600 20120401174722 20120326015928 45505 mijnuvt.nl.
KSqhqKleUdxOTVoSoaMvyjlJmQbMama1SzlMgos8D3zXGhk2L8vRz7Cd
beXIK16ItwqfNarJGkBF//FX4Gcqh/hqR+dZwAcaIbuEerLH5dZFspUu
87PF37Xx7lspd9EqLcg05lUiSNdJyv5zs7ZLTUiBjRE7Vxmvtn2zOaNN yyQ# dig +short +dnssec
-tSOA  mijnuvt.nl @slave.3.2.5
ns1.uvt.nl. hostmaster.uvt.nl. 2012032601 28800 14400 604800 3600
SOA 8 2 3600 20120401174722 20120326015928 45505 mijnuvt.nl.
KSqhqKleUdxOTVoSoaMvyjlJmQbMama1SzlMgos8D3zXGhk2L8vRz7Cd
beXIK16ItwqfNarJGkBF//FX4Gcqh/hqR+dZwAcaIbuEerLH5dZFspUu
87PF37Xx7lspd9EqLcg05lUiSNdJyv5zs7ZLTUiBjRE7Vxmvtn2zOaNN yyQ# dig +short +dnssec
-tSOA  mijnuvt.nl @slave.3.0.7
ns1.uvt.nl. hostmaster.uvt.nl. 2012032601 28800 14400 604800 3600
SOA 8 2 3600 20120401174722 20120326015928 45505 mijnuvt.nl.
KSqhqKleUdxOTVoSoaMvyjlJmQbMama1SzlMgos8D3zXGhk2L8vRz7Cd
beXIK16ItwqfNarJGkBF//FX4Gcqh/hqR+dZwAcaIbuEerLH5dZFspUu
87PF37Xx7lspd9EqLcg05lUiSNdJyv5zs7ZLTUiBjRE7Vxmvtn2zOaNN yyQ
I noticed that NSEC3 is not officially supported in 3.0.7 so it is
odd that this system does show the records and not the newer systems.
Is this a bug or do I misunderstand NSEC3 ?

-- 
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20120326/d75f9baf/attachment.bin>

Miek Gieben

2012-Mar-26 11:10 UTC

head link

[nsd-users] NSD 3.2.5 not serving NSEC3

[ Quoting <c.gielen at uvt.nl> in "[nsd-users] NSD 3.2.5 not serving
N..." ]> Hello,
> I'm converting my setup from NDS 3.0.7 to NSD 3.2.5. It seems like
NSD3.2.5 does not server NSEC3 records.
> I've got a hidden master and two slaves. The master and one slave run
NSD3.2.5, the other slave still runs 3.0.7.
> NSEC3 queries work for the old slave, but fail on the master and the new
slave.
> 
> The slaves are provisioned through XFR.
 > # dig +short  -tANY 7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl.
@master.3.2.5
> # dig +short  -tANY 7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl.
@slave.3.2.5
> # dig +short  -tANY 7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl.
@slave.3.0.7
> 1 0 5 3F5B57AEA37819BD 9HGMPSH7HR04DVD5IR8U04F64KIGGE57 NS SOA MX RRSIG
DNSKEY NSEC3PARAM
> NSEC3 8 3 3600 20120331095329 20120324082808 45505 mijnuvt.nl.
LXAixCSfTI/C+MXAP77cpTXlpZjGu4cDsbGVFyhs7PjytoY7bB75/qIm
l6eK67tgSN1yxSc1+A4fp0Fizv/+vTTgxZMTcX4+nAERkYJkWwykLRW8
xZD7QBlAeNJ58/LexU02mL/rfPngHScYJLdMRVUIu0O691YmIvEpDLJu ct4>
> # proof that the servers are in sync
I don't know if you have found a bug in NSD, but trying to make a point
with ANY queries isn't helpful. There isn't a good spec. that tells
you what ANY should return.

grtz Miek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20120326/25ab566f/attachment.bin>

nsd users - Mar 2012 - NSD 3.2.5 not serving NSEC3

[nsd-users] NSD 3.2.5 not serving NSEC3

[nsd-users] NSD 3.2.5 not serving NSEC3