Wrong NSEC3 responses

NSD
1

Hello!

We noticed that some of our NSD 4.3.5 secondaries answered with incomplete NSEC3 RRs for NOERROR/NODATA queries. See below. We could fix the issue by restarting NSD, or by “force_transfer” the zone. I see there are some NSEC3 related changes since 4.3.5, but the commit messages do not fit our problems. Hence, have you heard about this problem? Shall we further debug/watch the issue, or shall we just upgrade to 4.6 to get all NSEC3 fixes.

Thanks

Klaus

BAD RESPONSE

dig +nsid +dnssec @194.0.25.31 +nocrypto DS gov.cy

;; AUTHORITY SECTION:

cy. 7200 IN SOA cynic6.dns.cy. cydns.ucy.ac.cy. 2022081701 10800 3600 1209600 86400

cy. 7200 IN RRSIG SOA 13 1 7200 20220915210502 20220816200502 60430 cy. [omitted]

980985v4suav2r0hjg81890lr96e1ft9.cy. 86400 IN NSEC3 1 1 0 - 9EANNQLG89O84OKJKCC7TMU6CNQ4TOKD NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534

980985v4suav2r0hjg81890lr96e1ft9.cy. 86400 IN RRSIG NSEC3 13 2 86400 20220828231753 20220729222906 60430 cy. [omitted]

nsd-control force_transfer cy

ok

GOOD RESPONSE

dig +nsid +dnssec @194.0.25.31 +nocrypto DS gov.cy

;; AUTHORITY SECTION:

cy. 7200 IN SOA cynic6.dns.cy. cydns.ucy.ac.cy. 2022081701 10800 3600 1209600 86400

cy. 7200 IN RRSIG SOA 13 1 7200 20220915210502 20220816200502 60430 cy. [omitted]

980985v4suav2r0hjg81890lr96e1ft9.cy. 86400 IN NSEC3 1 1 0 - 9EANNQLG89O84OKJKCC7TMU6CNQ4TOKD NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534

980985v4suav2r0hjg81890lr96e1ft9.cy. 86400 IN RRSIG NSEC3 13 2 86400 20220828231753 20220729222906 60430 cy. [omitted]

lr3v6n8m71q3kvpso42ovbs4nlh19t84.cy. 86400 IN NSEC3 1 1 0 - N13RLJ1KN8RB464M31T1HD30E2A77BCB NS DS RRSIG

lr3v6n8m71q3kvpso42ovbs4nlh19t84.cy. 86400 IN RRSIG NSEC3 13 2 86400 20220828163430 20220729153831 60430 cy. [omitted]

2

Hi Klaus,

We noticed that some of our NSD 4.3.5 secondaries answered with
incomplete NSEC3 RRs for NOERROR/NODATA queries. See below. We could fix
the issue by restarting NSD, or by "force_transfer" the zone. I see
there are some NSEC3 related changes since 4.3.5, but the commit
messages do not fit our problems. Hence, have you heard about this
problem? Shall we further debug/watch the issue, or shall we just
upgrade to 4.6 to get all NSEC3 fixes.

Actually, I think you might be seeing this:

https://github.com/NLnetLabs/nsd/issues/171

And you will certainly have to update to something newer than 4.3.5 to avoid this issue.

Regards,
Anand

3

Hi Anand!

Von: Anand Buddhdev <anandb@ripe.net>
Gesendet: Mittwoch, 17. August 2022 12:06
An: Klaus Darilion <klaus.darilion@nic.at>; nsd-users@lists.nlnetlabs.nl
Betreff: Re: [nsd-users] wrong NSEC3 responses

Hi Klaus,

> We noticed that some of our NSD 4.3.5 secondaries answered with
> incomplete NSEC3 RRs for NOERROR/NODATA queries. See below. We
could fix
> the issue by restarting NSD, or by "force_transfer" the zone. I see
> there are some NSEC3 related changes since 4.3.5, but the commit
> messages do not fit our problems. Hence, have you heard about this
> problem? Shall we further debug/watch the issue, or shall we just
> upgrade to 4.6 to get all NSEC3 fixes.

Actually, I think you might be seeing this:

https://github.com/NLnetLabs/nsd/issues/171

That sounds possible.

And you will certainly have to update to something newer than 4.3.5 to
avoid this issue.

We are on the way to 4.6 - seeing my other questions on the mailing list :slight_smile:

Thanks
Klaus