[Dnssec-deployment] Bind 9 validation failure on kocarkydavidek.cz (NSEC3 related)
marka at isc.org
Wed Oct 19 09:14:53 EDT 2011
In message <4E9EB3EF.9050701 at nlnetlabs.nl>, Matthijs Mekking writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 10/18/2011 06:07 PM, Mark Andrews wrote:
> > Named is looking for a closest encloser NSEC3 record and not finding
> > it. I have a patch to get the closest encloser from the RRSIG of
> > the A record and with that the response validates. The patch still
> > needs to be reviewed.
> > Mark
> It is not only at the validator, Bind9 also sends too much NSEC3 records
> in the case of a wildcard answer response.
> See http://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=390
> Best regards,
While I agree it shouldn't be emitted it should cause no problems
for other validators. We were already discussing when we should
stop emitting it. At a minimum we need to stop emitting it
to check that we can validate a response without it.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the Dnssec-deployment