puzzling answer of dig with +sigchase/NSEC3

Klaus Malorny Klaus.Malorny at knipp.de
Mon Nov 9 15:47:02 UTC 2009


I am playing around with a signed zone which uses NSEC3. If I try to verify a 
non-existing name or a non-existing type with the "sigchase" option, I get the 
strange error:

;; Impossible to verify the Non-existence, the NSEC RRset can't be validated: FAILED

I then checked it with the "org" TLD (which I assume to be properly signed), and 
get the same result if I issue a "dig +sigchase +trusted-key=/tmp/trustedkeys 
org txt" command. I checked that in both cases, the correct NSEC3 record was 
returned by named.

I would have expected to get a "SUCCESS" also, i.e. that the negative answer 
could have been validated so far. Did I miss anything?  For zones using NSEC, 
like "se", this seems to work. Is there no full support for NSEC3 in dig yet?

BTW: I am using 9.7.0b2 with openssl support and -DDIG_SIGCHASE flag.



More information about the bind-users mailing list