NSD 3.2.5 not serving NSEC3

NSD
1

Hello,
I'm converting my setup from NDS 3.0.7 to NSD 3.2.5. It seems like NSD3.2.5 does not server NSEC3 records.
I've got a hidden master and two slaves. The master and one slave run NSD3.2.5, the other slave still runs 3.0.7.
NSEC3 queries work for the old slave, but fail on the master and the new slave.

The slaves are provisioned through XFR.

# first find an NSEC3 record on the master:

# grep NSEC3 mijnuvt.nl |head -n 4
mijnuvt.nl. 3600 IN NSEC3PARAM 1 0 5 3f5b57aea37819bd
mijnuvt.nl. 3600 IN RRSIG NSEC3PARAM 8 2 3600 20120402093126 20120325235926 45505 mijnuvt.nl. h/Fe0oZS/+QpdtscqReJ0gXOSahv1qnFGmYANdh0KytVrCACnThLos556jkjmjw+cHlk5QH/Gf6m6YRJuxKsNXQHQoWkfBAGCH/Gz1zRkimrQcxPKAYKtqpocWN8KbNrb4oZuptjrrvZzNwG0KuPBOcswK88qBJpU/V/g3uXbvY=
7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl. 3600 IN NSEC3 1 0 5 3f5b57aea37819bd 9hgmpsh7hr04dvd5ir8u04f64kigge57 NS SOA MX RRSIG DNSKEY NSEC3PARAM
7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl. 3600 IN RRSIG NSEC3 8 3 3600 20120331095329 20120324082808 45505 mijnuvt.nl. LXAixCSfTI/C+MXAP77cpTXlpZjGu4cDsbGVFyhs7PjytoY7bB75/qIml6eK67tgSN1yxSc1+A4fp0Fizv/+vTTgxZMTcX4+nAERkYJkWwykLRW8xZD7QBlAeNJ58/LexU02mL/rfPngHScYJLdMRVUIu0O691YmIvEpDLJuct4=

# dig +short -tANY 7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl. @master.3.2.5
# dig +short -tANY 7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl. @slave.3.2.5
# dig +short -tANY 7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl. @slave.3.0.7
1 0 5 3F5B57AEA37819BD 9HGMPSH7HR04DVD5IR8U04F64KIGGE57 NS SOA MX RRSIG DNSKEY NSEC3PARAM
NSEC3 8 3 3600 20120331095329 20120324082808 45505 mijnuvt.nl. LXAixCSfTI/C+MXAP77cpTXlpZjGu4cDsbGVFyhs7PjytoY7bB75/qIm l6eK67tgSN1yxSc1+A4fp0Fizv/+vTTgxZMTcX4+nAERkYJkWwykLRW8 xZD7QBlAeNJ58/LexU02mL/rfPngHScYJLdMRVUIu0O691YmIvEpDLJu ct4=

# proof that the servers are in sync
# dig +short +dnssec -tSOA mijnuvt.nl @master.3.2.5
ns1.uvt.nl. hostmaster.uvt.nl. 2012032601 28800 14400 604800 3600
SOA 8 2 3600 20120401174722 20120326015928 45505 mijnuvt.nl. KSqhqKleUdxOTVoSoaMvyjlJmQbMama1SzlMgos8D3zXGhk2L8vRz7Cd beXIK16ItwqfNarJGkBF//FX4Gcqh/hqR+dZwAcaIbuEerLH5dZFspUu 87PF37Xx7lspd9EqLcg05lUiSNdJyv5zs7ZLTUiBjRE7Vxmvtn2zOaNN yyQ=
# dig +short +dnssec -tSOA mijnuvt.nl @slave.3.2.5
ns1.uvt.nl. hostmaster.uvt.nl. 2012032601 28800 14400 604800 3600
SOA 8 2 3600 20120401174722 20120326015928 45505 mijnuvt.nl. KSqhqKleUdxOTVoSoaMvyjlJmQbMama1SzlMgos8D3zXGhk2L8vRz7Cd beXIK16ItwqfNarJGkBF//FX4Gcqh/hqR+dZwAcaIbuEerLH5dZFspUu 87PF37Xx7lspd9EqLcg05lUiSNdJyv5zs7ZLTUiBjRE7Vxmvtn2zOaNN yyQ=
# dig +short +dnssec -tSOA mijnuvt.nl @slave.3.0.7
ns1.uvt.nl. hostmaster.uvt.nl. 2012032601 28800 14400 604800 3600
SOA 8 2 3600 20120401174722 20120326015928 45505 mijnuvt.nl. KSqhqKleUdxOTVoSoaMvyjlJmQbMama1SzlMgos8D3zXGhk2L8vRz7Cd beXIK16ItwqfNarJGkBF//FX4Gcqh/hqR+dZwAcaIbuEerLH5dZFspUu 87PF37Xx7lspd9EqLcg05lUiSNdJyv5zs7ZLTUiBjRE7Vxmvtn2zOaNN yyQ=

I noticed that NSEC3 is not officially supported in 3.0.7 so it is
odd that this system does show the records and not the newer systems.
Is this a bug or do I misunderstand NSEC3 ?

2

[ Quoting <c.gielen@uvt.nl> in "[nsd-users] NSD 3.2.5 not serving N..." ]

Hello,
I'm converting my setup from NDS 3.0.7 to NSD 3.2.5. It seems like NSD3.2.5 does not server NSEC3 records.
I've got a hidden master and two slaves. The master and one slave run NSD3.2.5, the other slave still runs 3.0.7.
NSEC3 queries work for the old slave, but fail on the master and the new slave.

The slaves are provisioned through XFR.

# dig +short -tANY 7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl. @master.3.2.5
# dig +short -tANY 7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl. @slave.3.2.5
# dig +short -tANY 7bomoj6sqq183dea9ljtlg4v6mta3vr8.mijnuvt.nl. @slave.3.0.7
1 0 5 3F5B57AEA37819BD 9HGMPSH7HR04DVD5IR8U04F64KIGGE57 NS SOA MX RRSIG DNSKEY NSEC3PARAM
NSEC3 8 3 3600 20120331095329 20120324082808 45505 mijnuvt.nl. LXAixCSfTI/C+MXAP77cpTXlpZjGu4cDsbGVFyhs7PjytoY7bB75/qIm l6eK67tgSN1yxSc1+A4fp0Fizv/+vTTgxZMTcX4+nAERkYJkWwykLRW8 xZD7QBlAeNJ58/LexU02mL/rfPngHScYJLdMRVUIu0O691YmIvEpDLJu ct4=

# proof that the servers are in sync

I don't know if you have found a bug in NSD, but trying to make a point
with ANY queries isn't helpful. There isn't a good spec. that tells
you what ANY should return.

grtz Miek

3

Hi,

4

Op 26-03-12 13:37, W.C.A. Wijngaards schreef:

The NSEC3 spec forbids direct queries for NSEC3 records. You can
query for NSEC3PARAM records. You can query for nxdomain and see the
NSEC3 records in the reply (+dnssec).

That must be it. Thanks for explaining. The NSD version I'm using is so
old that it doensn't know it shouldn't serve NSEC3. Some check sends me
alerts the zones are not in sync. I'll ignore it for now.