[Dnssec-deployment] Bind 9 validation failure on kocarkydavidek.cz (NSEC3 related)

Matthijs Mekking matthijs at NLnetLabs.nl
Wed Oct 19 07:26:39 EDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/18/2011 06:07 PM, Mark Andrews wrote:
> Named is looking for a closest encloser NSEC3 record and not finding
> it.  I have a patch to get the closest encloser from the RRSIG of
> the A record and with that the response validates.  The patch still
> needs to be reviewed.
> 
> Mark

It is not only at the validator, Bind9 also sends too much NSEC3 records
in the case of a wildcard answer response.

See http://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=390

Best regards,
  Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOnrPvAAoJEA8yVCPsQCW5UB4IAJZbnfTZruLJ3jYn3+z/+Um1
V08xSFDMgCFnRXJ+DEv4ooxPSIBSzhqkBWyfUjDsif0oD8CIYkP6BXp+zru9LmQH
ftWxLkymfWEVV9Cs6rNilIvX/cSas8cZTfMcCl9907FA6P3GCbV1kx0d/QKJvJBa
24wGWy8gRTtESmEg4o3bXvpERzXMBbS54HNOA9wd4tYsFywiOW9wvkx/r+m8CZLi
yQjW+N5F+CZWQ5FJKMsHpRTIyUNAlzUFJkEjMmLmZXQhKah5kEQuQwZOXnv4zmDK
of6rEO/hx6YxDFfw15fe7L81oQImFX0awz2BZQLa0tYg3RzZjbRvKMsainEs4tA=
=pXie
-----END PGP SIGNATURE-----


More information about the Dnssec-deployment mailing list