reason for "expected covering NSEC3, got an exact match" ?
Kalman Feher
kalman.feher at melbourneit.com.au
Tue Jul 13 13:03:28 UTC 2010
It looks like normal NSEC to me, unless you are referring to an isolated
copy of the domain not accessible to the public:
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22416
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec.lu. IN TXT
;; AUTHORITY SECTION:
dnssec.lu. 300 IN SOA ns1.restena.lu.
hostmaster.restena.lu. 2008110708 3600 300 1209600 300
dnssec.lu. 300 IN RRSIG SOA 5 2 3600 20081207145334
20081107145334 23997 dnssec.lu.
kH1rP6S1AIBEe5LoZN+b4f+IfRB48LcMMbfHUAsAP6Pp+7gLIiJwNWfK
u5GEgjMlsiO6irarcAfugWd3hkjbThPXpN7mgCxQa35FIluxCkmW7bRr
WD78Tg4RMGmKJyFzzNA/m6Vxi9O04fjgk0tlxhoE0MTTsvWP++3ungVO KsU=
dnssec.lu. 300 IN NSEC *.dnssec.lu. NS SOA RRSIG
NSEC DNSKEY
dnssec.lu. 300 IN RRSIG NSEC 5 2 300 20081207145334
20081107145334 23997 dnssec.lu.
HVMxwETY/E1EiVfAHcA/zqiCnntg1Eh9CCQzgPLjbqC32Heu9eASgUjT
hQcpImO2ehXWNFMKGOPobMqY8AQIKQP0AZ3QLNsYHtyD+tDcJhIQ7HHJ
ihAXe5Tg6cFqXWE1ACD3KEekWsAxCvZtBNY8FC+a0oVLiZQlxb7Sufdy o6s=
On 13/07/10 2:28 PM, "Gilles Massen" <gilles.massen at restena.lu> wrote:
> Hello,
>
> I have a signed zone (dnssec.lu) with NSEC3 / no optout, signed through
> OpenDNSSEC. The zone contains a wildcard with a TXT and A record.
>
> Each time the server is queried for something where the QNAME is matched
> by the wildcard, but the QTYPE is not, named logs a warning: "expected
> covering NSEC3, got an exact match".
>
> This behaviour exists only if a wildcard is present in the zone. The
> zone doesn't contain any stale or unnecessary NSEC3 records.
>
> Is there an explanation for the warning? Apart from complaining, bind
> seems to do everything correctly. (Bind 9.7.1 P1)
>
> best,
> Gilles
--
Kal Feher | Melbourne IT | Malmö, Sweden | ph: +46 406 919185 | mob: +46 734
224407
More information about the bind-users
mailing list