expected covering NSEC3, got an exact match

Chris Thompson cet1 at cam.ac.uk
Fri Oct 7 15:20:45 UTC 2011

On Sep 22 2011, I wrote:

>There was some correspondence last year about this warning message, but
>this seems to be caused by something new.
>Since 2011-09-02 we have been seeing messages like this
> Sep 22 16:38:52 authdns1.csx.cam.ac.uk named[646]: dnssec: warning:
> client expected covering NSEC3, got an exact match
>on both our main authoritative-only (recursion no) nameservers. Our own
>zones don't use NSEC3, but we do officially slave two that do (srcf.net
>and srcf.ucam.org) so I have been assuming that they are responsible in
>some way. But we didn't change anything in the server configuration at
>the time the messages started, and the zone administrator (hi, Malcolm!)
>says the same about the contents of the two zones.
>We were running BIND 9.7.4 at that stage, but upgrading to 9.8.1 hasn't
>caused the messages to go away, as I had rather hoped.
>Has anyone any clues about this one? Or observed anything similar?

We never did manage to track down exactly what was wrong with the
NSEC3 records, but the problem seems to have been cured by the zone
signer being upgraded from OpenDNSSEC 1.2.1 to 1.3.2.

Chris Thompson
Email: cet1 at cam.ac.uk

More information about the bind-users mailing list