please explain error: expected covering NSEC3, got an exact match
Paul Wouters
paul at xelerance.com
Mon Mar 29 13:16:43 UTC 2010
On Sun, 28 Mar 2010, Nate Itkin wrote:
> 28-Mar-2010 21:02:27.467 dnssec: warning: client 200.160.7.134#6363: view external: expected covering NSEC3, got an exact match
The error suggests the following happened. The client asked for something
that did not exist. The server then hashes the hostname and looks at the
nsec3 hash that alphabetically covers that hashed hostname. However, it
found the hashed hostname *itself* in the list, indicating that the data
actuallly exists and should have been returned instead of an nsec3 hash
indicating the hostname did not exist.
I've seen these too, and I'm not sure where they come from. I hope it does
not indicate some kind of bug in the re-signing/re-using of old hashes with
a new zone in dnssec-signzone.
Paul
More information about the bind-users
mailing list