Hello list (and this time it's not the DHCP list...), Using bind 9.9.5 with inline-signing, I have a test wildcard cname record in two zones:
*.cnametest.lancs.ac.uk CNAME www.lancs.ac.uk *.cnametest.palatine.ac.uk CNAME www.palatine.ac.uk dnsviz is showing the error "NSEC3 proving non-existence of foo.cnametest.lancs.ac.uk./CNAME: QNAME_NOT_COVERED" for the lancs.ac.uk version (but the palatine.ac.uk version is fine). According to delv, both are fully validated, but the palatine output has one extra line: ;; validating foo.cnametest.palatine.ac.uk/A: NSEC3 at super-domain cnametest.palatine.ac.uk I can see a discrepancy in the NSEC3 records in the Authority section: For palatine.ac.uk: AEP7P2GGD4GEBNRMSBP4I97SU0MKR5R9.palatine.ac.uk. 3600 IN NSEC3 1 0 10 BB1150B39E44B92F E92VAEN6BQ1T2N54AA2RSA1V49RM394S (AEP... is the hash of cnametest.palatine.ac.uk) For lancs.ac.uk: RA9FSQ8NSK36A6568UHF8L26UFV2B1PG.lancs.ac.uk. 3600 IN NSEC3 1 0 10 9B6EFFBA177399A0 RA9V2QS7NE6Q5VLKU2EF4QONHP5CGIJR A RRSIG (RA9... isn't the hash of cnametest.lancs.ac.uk, and it's claiming there are A and RRSIG records!?). Both cnametest records were added today, so the signature inception time of the lancs.ac.uk NSEC3's RRSIG being yesterday (20141118125729), is very odd... What's going on? Both zones are being signed by the same instance of bind and there are no interesting log messages. Thanks, Graham -- Graham Clinch Systems Programmer, Lancaster University _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
