incomplete NSEC3 chains
Klaus Darilion
klaus.mailinglists at pernau.at
Mon Jun 30 16:31:55 UTC 2014
Release: BIND 9.9.5
I regularly perform key rollovers and zone validation of an
inline-signed zone. The zone validator receives NOTIFYs and then it
transfers the zone and validates it (using dnssec-verify and validns).
I also regularly call "rndc retransfer" to make sure to have an correct
zone.
Sometimes my zone validator receives zone files with incomplete NSEC3
chains (NSEC3 RRs are missing and the chain skips this missing RRs, and
the NSEC3PARM RR is missing.
I suspect that due to the "rndc retransfer" Bind starts to recalculate
the complete NSEC3 chain and my zone validator fetches the zone while
Bind recalculates the NSEC3 chain.
1. Why does Bind provide an incomplete zone file for zone transfer? The
transferred zone is broken. IMO Bind should not provide broken zones.
Either it should provide the old zone while re-calculating the NSEC3
chain, or it should refuse the zone transfer until the NSEC3 chain is
correct again.
2. Why does the "rndc retransfer" re-calculates the NSEC3 chain, but
normal zone transfer (increase serial + NOTIFY) not? Both use AXFR to
fetch the zone.
Thanks
Klaus
More information about the bind-users
mailing list