Release: BIND 9.9.5 I regularly perform key rollovers and zone validation of an inline-signed zone. The zone validator receives NOTIFYs and then it transfers the zone and validates it (using dnssec-verify and validns).
I also regularly call "rndc retransfer" to make sure to have an correct zone. Sometimes my zone validator receives zone files with incomplete NSEC3 chains (NSEC3 RRs are missing and the chain skips this missing RRs, and the NSEC3PARM RR is missing. I suspect that due to the "rndc retransfer" Bind starts to recalculate the complete NSEC3 chain and my zone validator fetches the zone while Bind recalculates the NSEC3 chain. 1. Why does Bind provide an incomplete zone file for zone transfer? The transferred zone is broken. IMO Bind should not provide broken zones. Either it should provide the old zone while re-calculating the NSEC3 chain, or it should refuse the zone transfer until the NSEC3 chain is correct again. 2. Why does the "rndc retransfer" re-calculates the NSEC3 chain, but normal zone transfer (increase serial + NOTIFY) not? Both use AXFR to fetch the zone. Thanks Klaus _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
