Hello,
I'm converting my setup from NDS 3.0.7 to NSD 3.2.5. It seems like NSD3.2.5
does not server NSEC3 records.
I've got a hidden master and two slaves. The master and one slave run
NSD3.2.5, the other slave still runs 3.0.7.
NSEC3 queries work for the old slave, but fail on the master and the new slave.
The slaves are provisioned through XFR.
# first find an NSEC3 record on the master:
# grep NSEC3 mijnuvt.nl |head -n 4
mijnuvt.nl. 3600 IN NSEC3PARAM 1 0 5 3f5b57aea37819bd
mijnuvt.nl. 3600 IN RRSIG NSEC3PARAM 8 2 3600 20120402093126
20120325235926 45505 mijnuvt.nl.
h/Fe0oZS/+QpdtscqReJ0gXOSahv1qnFGmYANdh0KytVrCACnThLos556jkjmjw+cHlk5QH/Gf6m6YRJuxKsNXQHQoWkfBAGCH/Gz1zRkimrQcxPKAYKtqpocWN8KbNrb4oZuptjrrvZzNwG0KuPBOcswK88qBJpU/V/g3uXbvY7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl.
3600 IN NSEC3 1 0 5 3f5b57aea37819bd 9hgmpsh7hr04dvd5ir8u04f64kigge57
NS SOA MX RRSIG DNSKEY NSEC3PARAM
7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl. 3600 IN RRSIG NSEC3 8
3 3600 20120331095329 20120324082808 45505 mijnuvt.nl.
LXAixCSfTI/C+MXAP77cpTXlpZjGu4cDsbGVFyhs7PjytoY7bB75/qIml6eK67tgSN1yxSc1+A4fp0Fizv/+vTTgxZMTcX4+nAERkYJkWwykLRW8xZD7QBlAeNJ58/LexU02mL/rfPngHScYJLdMRVUIu0O691YmIvEpDLJuct4
# dig +short -tANY 7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl. @master.3.2.5
# dig +short -tANY 7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl. @slave.3.2.5
# dig +short -tANY 7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl. @slave.3.0.7
1 0 5 3F5B57AEA37819BD 9HGMPSH7HR04DVD5IR8U04F64KIGGE57 NS SOA MX RRSIG DNSKEY
NSEC3PARAM
NSEC3 8 3 3600 20120331095329 20120324082808 45505 mijnuvt.nl.
LXAixCSfTI/C+MXAP77cpTXlpZjGu4cDsbGVFyhs7PjytoY7bB75/qIm
l6eK67tgSN1yxSc1+A4fp0Fizv/+vTTgxZMTcX4+nAERkYJkWwykLRW8
xZD7QBlAeNJ58/LexU02mL/rfPngHScYJLdMRVUIu0O691YmIvEpDLJu ct4
# proof that the servers are in sync
# dig +short +dnssec -tSOA mijnuvt.nl @master.3.2.5
ns1.uvt.nl. hostmaster.uvt.nl. 2012032601 28800 14400 604800 3600
SOA 8 2 3600 20120401174722 20120326015928 45505 mijnuvt.nl.
KSqhqKleUdxOTVoSoaMvyjlJmQbMama1SzlMgos8D3zXGhk2L8vRz7Cd
beXIK16ItwqfNarJGkBF//FX4Gcqh/hqR+dZwAcaIbuEerLH5dZFspUu
87PF37Xx7lspd9EqLcg05lUiSNdJyv5zs7ZLTUiBjRE7Vxmvtn2zOaNN yyQ# dig +short +dnssec
-tSOA mijnuvt.nl @slave.3.2.5
ns1.uvt.nl. hostmaster.uvt.nl. 2012032601 28800 14400 604800 3600
SOA 8 2 3600 20120401174722 20120326015928 45505 mijnuvt.nl.
KSqhqKleUdxOTVoSoaMvyjlJmQbMama1SzlMgos8D3zXGhk2L8vRz7Cd
beXIK16ItwqfNarJGkBF//FX4Gcqh/hqR+dZwAcaIbuEerLH5dZFspUu
87PF37Xx7lspd9EqLcg05lUiSNdJyv5zs7ZLTUiBjRE7Vxmvtn2zOaNN yyQ# dig +short +dnssec
-tSOA mijnuvt.nl @slave.3.0.7
ns1.uvt.nl. hostmaster.uvt.nl. 2012032601 28800 14400 604800 3600
SOA 8 2 3600 20120401174722 20120326015928 45505 mijnuvt.nl.
KSqhqKleUdxOTVoSoaMvyjlJmQbMama1SzlMgos8D3zXGhk2L8vRz7Cd
beXIK16ItwqfNarJGkBF//FX4Gcqh/hqR+dZwAcaIbuEerLH5dZFspUu
87PF37Xx7lspd9EqLcg05lUiSNdJyv5zs7ZLTUiBjRE7Vxmvtn2zOaNN yyQ
I noticed that NSEC3 is not officially supported in 3.0.7 so it is
odd that this system does show the records and not the newer systems.
Is this a bug or do I misunderstand NSEC3 ?
--
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7
Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20120326/d75f9baf/attachment.bin>