Hello! We noticed that some of our NSD 4.3.5 secondaries answered with incomplete NSEC3 RRs for NOERROR/NODATA queries. See below. We could fix the issue by restarting NSD, or by "force_transfer" the zone. I see there are some NSEC3 related changes since 4.3.5, but the commit messages do not fit our problems. Hence, have you heard about this problem? Shall we further debug/watch the issue, or shall we just upgrade to 4.6 to get all NSEC3 fixes. Thanks Klaus BAD RESPONSE # dig +nsid +dnssec @194.0.25.31 +nocrypto DS gov.cy ;; AUTHORITY SECTION: cy. 7200 IN SOA cynic6.dns.cy. cydns.ucy.ac.cy. 2022081701 10800 3600 1209600 86400 cy. 7200 IN RRSIG SOA 13 1 7200 20220915210502 20220816200502 60430 cy. [omitted] 980985v4suav2r0hjg81890lr96e1ft9.cy. 86400 IN NSEC3 1 1 0 - 9EANNQLG89O84OKJKCC7TMU6CNQ4TOKD NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534 980985v4suav2r0hjg81890lr96e1ft9.cy. 86400 IN RRSIG NSEC3 13 2 86400 20220828231753 20220729222906 60430 cy. [omitted] # nsd-control force_transfer cy ok GOOD RESPONSE # dig +nsid +dnssec @194.0.25.31 +nocrypto DS gov.cy ;; AUTHORITY SECTION: cy. 7200 IN SOA cynic6.dns.cy. cydns.ucy.ac.cy. 2022081701 10800 3600 1209600 86400 cy. 7200 IN RRSIG SOA 13 1 7200 20220915210502 20220816200502 60430 cy. [omitted] 980985v4suav2r0hjg81890lr96e1ft9.cy. 86400 IN NSEC3 1 1 0 - 9EANNQLG89O84OKJKCC7TMU6CNQ4TOKD NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534 980985v4suav2r0hjg81890lr96e1ft9.cy. 86400 IN RRSIG NSEC3 13 2 86400 20220828231753 20220729222906 60430 cy. [omitted] lr3v6n8m71q3kvpso42ovbs4nlh19t84.cy. 86400 IN NSEC3 1 1 0 - N13RLJ1KN8RB464M31T1HD30E2A77BCB NS DS RRSIG lr3v6n8m71q3kvpso42ovbs4nlh19t84.cy. 86400 IN RRSIG NSEC3 13 2 86400 20220828163430 20220729153831 60430 cy. [omitted] -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20220817/2752e4b6/attachment.htm>
On 17/08/2022 10:42, Klaus Darilion via nsd-users wrote: Hi Klaus,> We noticed that some of our NSD 4.3.5 secondaries answered with > incomplete NSEC3 RRs for NOERROR/NODATA queries. See below. We could fix > the issue by restarting NSD, or by "force_transfer" the zone. I see > there are some NSEC3 related changes since 4.3.5, but the commit > messages do not fit our problems. Hence, have you heard about this > problem? Shall we further debug/watch the issue, or shall we just > upgrade to 4.6 to get all NSEC3 fixes.Actually, I think you might be seeing this: https://github.com/NLnetLabs/nsd/issues/171 And you will certainly have to update to something newer than 4.3.5 to avoid this issue. Regards, Anand