It looks like normal NSEC to me, unless you are referring to an isolated copy of the domain not accessible to the public:
;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22416 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dnssec.lu. IN TXT ;; AUTHORITY SECTION: dnssec.lu. 300 IN SOA ns1.restena.lu. hostmaster.restena.lu. 2008110708 3600 300 1209600 300 dnssec.lu. 300 IN RRSIG SOA 5 2 3600 20081207145334 20081107145334 23997 dnssec.lu. kH1rP6S1AIBEe5LoZN+b4f+IfRB48LcMMbfHUAsAP6Pp+7gLIiJwNWfK u5GEgjMlsiO6irarcAfugWd3hkjbThPXpN7mgCxQa35FIluxCkmW7bRr WD78Tg4RMGmKJyFzzNA/m6Vxi9O04fjgk0tlxhoE0MTTsvWP++3ungVO KsU= dnssec.lu. 300 IN NSEC *.dnssec.lu. NS SOA RRSIG NSEC DNSKEY dnssec.lu. 300 IN RRSIG NSEC 5 2 300 20081207145334 20081107145334 23997 dnssec.lu. HVMxwETY/E1EiVfAHcA/zqiCnntg1Eh9CCQzgPLjbqC32Heu9eASgUjT hQcpImO2ehXWNFMKGOPobMqY8AQIKQP0AZ3QLNsYHtyD+tDcJhIQ7HHJ ihAXe5Tg6cFqXWE1ACD3KEekWsAxCvZtBNY8FC+a0oVLiZQlxb7Sufdy o6s= On 13/07/10 2:28 PM, "Gilles Massen" <gilles.mas...@restena.lu> wrote: > Hello, > > I have a signed zone (dnssec.lu) with NSEC3 / no optout, signed through > OpenDNSSEC. The zone contains a wildcard with a TXT and A record. > > Each time the server is queried for something where the QNAME is matched > by the wildcard, but the QTYPE is not, named logs a warning: "expected > covering NSEC3, got an exact match". > > This behaviour exists only if a wildcard is present in the zone. The > zone doesn't contain any stale or unnecessary NSEC3 records. > > Is there an explanation for the warning? Apart from complaining, bind > seems to do everything correctly. (Bind 9.7.1 P1) > > best, > Gilles -- Kal Feher | Melbourne IT | Malmö, Sweden | ph: +46 406 919185 | mob: +46 734 224407 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
