Maintained by: NLnet Labs

[Unbound-users] no NSEC3 closest encloser

W.C.A. Wijngaards
Fri Aug 1 09:08:43 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Shmick,

On 07/31/2014 05:18 PM, shmick at riseup.net wrote:
> 
> 
> 
> TXT IN>: no NSEC3 closest encloser from 127.0.0.1 for DS
> host.example.com.
> 
> 
> could i have some advice about this concerning my domain and what
> it could potentially mean ?

Unbound received an invalid DNSSEC packet from the authority server.
It is missing an NSEC3 record (it indicates which one).

> i recently signed my zone with a different algorithm; now signing
> zone with NSEC3RSASHA1 i receive this error

I guess something went wrong with new signed zone and that NSEC3 RR is
missing from the zone, or, your authority server software fails to
include that NSEC3 RR in the response.  Since the authority server
software used to work previously, I would guess the signer is at
fault, given you said you were working with that.

If you run unbound (or unbound-host) with verbosity 4 (with
unbound-host -dddd) then it prints out the packet that it receives in
a dig-style output format; that is exactly the packet that is the error.

Best regards,
   Wouter


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJT2zz2AAoJEJ9vHC1+BF+NhEEQAKIPcXbbke6eYKX2/Aa2DsSW
SpJkUq/DNKGsEngr275FHJfSn3T8T7sogGiBl2HgEn3l7tSicOkx/sDBwh0v9SzC
CBldHYsY2up2+bkT/qlX+QtxKBzFOxdzY1g40N61+jBv12aMgUvApcmyFaJDxkEb
uSgOZ2TJ8L1rgpwH0IXot6J0y/ny/Q7Ug9iEEMDBL1KhypM+woe5dnTNhi65g8S+
rOwbDQKujV6Wg+4nRsWFlT2MRG9Mg5RDpCZsoThQs8ezpw1aF6wKlO1RAZ6DJ/jW
xGl7prxUfhfHVG5lbb6OWRSE657tqzuYwGAHKwxDRPz9YLkXBTF2967cUpDqk8WW
B52xf7fg4E2/z0QIK7ffEegbROg3td4wJtSekTiuEHUR8ji8pnwH8raFdiCTONtE
V7ot3TAljrMWeuVtwjVwuQz/o5Wgq4JmhzxKJYBTcpDydOK1mE5cqrvru7ruDF4T
qLTaPHEL4TAFuBYJWKEgCpb1Y47YIJIM2r9oXEedPC3PtPp3MUpizeJ/P0OJsCVN
B9IJw62X837jStsblPfbkHmOG+R/z6RV9HwwDbN1K3hrS5R46IS9l+PKq35V3DF2
CHcKjGmiPpfamqXzCf0jYPVoiUsXDVPxumXZVC5rUXJ/gPmg6XlwfqG2SF6ypf3g
+SpibFMBVHyiRikvyXG3
=AfbK
-----END PGP SIGNATURE-----