You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Validns 0.8 reports inconsistencies in the NSEC3 chain regarding mixed hash-alogrithms. Like those two NSEC3 RRs:
nt3p0u8gvljva4rhrfrsquk64ehkpfmi.de. 3600 I N NSEC3 2 1 16 0947e8799e2a1326 o0ck6cu1h02gebpq458pkefv1j5qdfm3 NS SOA RRSIG DNSKEY NSEC3PARAM
5pi10b6oo32ackimi5entgjkhtasdtru.de. 3600 IN NSEC3 1 1 16 0947e8799e2a1326 5q1jgrrol77ft0873j0pr9f41r5mtha3 A RRSIG
Unfortunately it does not detect if there is a mismatch of the salt and iterations or the Opt-In / Opt-Out Flag.
Here are some examples for the cases which are not detected:
Opt-In/Opt-Out:
nt3p0u8gvljva4rhrfrsquk64ehkpfmi.de. 3600 IN NSEC3 1 0 16 0947e8799e2a1326 o0ck6cu1h02gebpq458pkefv1j5qdfm3 NS SOA RRSIG DNSKEY NSEC3PARAM
ljpe46seqcufhqtbho12nd877sgvohlt.de. 3600 IN NSEC3 1 1 16 0947e8799e2a1326 lm8cmbau3njoq7mhakq35btbohposf1q A RRSIG
Iterations:
nt3p0u8gvljva4rhrfrsquk64ehkpfmi.de. 3600 IN NSEC3 1 1 17 0947e8799e2a1326 o0ck6cu1h02gebpq458pkefv1j5qdfm3 NS SOA RRSIG DNSKEY NSEC3PARAM
db4dqnt03hg68utinuksrifbirrtm969.de. 3600 IN NSEC3 1 1 16 0947e8799e2a1326 dbjimap2ouup2nfmh1digdu2fbvkrof5 NS DS RRSIG
Salt:
nt3p0u8gvljva4rhrfrsquk64ehkpfmi.de. 3600 IN NSEC3 1 1 16 DEADBEEF o0ck6cu1h02gebpq458pkefv1j5qdfm3 NS SOA RRSIG DNSKEY NSEC3PARAM
vq0lr2sjgbblgehekbf6n6bv52fl3mno.de. 3600 IN NSEC3 1 1 16 0947e8799e2a1326 vvg7t4t2mqchdinbkl7b4ms8ii9l6l35 A RRSIG
The easiest way to check this is to check if each NSEC3-Record matches any NSEC3PARAM.
This implies that all NSEC3 records matching a specific NSEC3PARAM have consistent salt and iterations.
The text was updated successfully, but these errors were encountered:
Validns 0.8 reports inconsistencies in the NSEC3 chain regarding mixed hash-alogrithms. Like those two NSEC3 RRs:
nt3p0u8gvljva4rhrfrsquk64ehkpfmi.de. 3600 I N NSEC3 2 1 16 0947e8799e2a1326 o0ck6cu1h02gebpq458pkefv1j5qdfm3 NS SOA RRSIG DNSKEY NSEC3PARAM
5pi10b6oo32ackimi5entgjkhtasdtru.de. 3600 IN NSEC3 1 1 16 0947e8799e2a1326 5q1jgrrol77ft0873j0pr9f41r5mtha3 A RRSIG
Unfortunately it does not detect if there is a mismatch of the salt and iterations or the Opt-In / Opt-Out Flag.
Here are some examples for the cases which are not detected:
Opt-In/Opt-Out:
nt3p0u8gvljva4rhrfrsquk64ehkpfmi.de. 3600 IN NSEC3 1 0 16 0947e8799e2a1326 o0ck6cu1h02gebpq458pkefv1j5qdfm3 NS SOA RRSIG DNSKEY NSEC3PARAM
ljpe46seqcufhqtbho12nd877sgvohlt.de. 3600 IN NSEC3 1 1 16 0947e8799e2a1326 lm8cmbau3njoq7mhakq35btbohposf1q A RRSIG
Iterations:
nt3p0u8gvljva4rhrfrsquk64ehkpfmi.de. 3600 IN NSEC3 1 1 17 0947e8799e2a1326 o0ck6cu1h02gebpq458pkefv1j5qdfm3 NS SOA RRSIG DNSKEY NSEC3PARAM
db4dqnt03hg68utinuksrifbirrtm969.de. 3600 IN NSEC3 1 1 16 0947e8799e2a1326 dbjimap2ouup2nfmh1digdu2fbvkrof5 NS DS RRSIG
Salt:
nt3p0u8gvljva4rhrfrsquk64ehkpfmi.de. 3600 IN NSEC3 1 1 16 DEADBEEF o0ck6cu1h02gebpq458pkefv1j5qdfm3 NS SOA RRSIG DNSKEY NSEC3PARAM
vq0lr2sjgbblgehekbf6n6bv52fl3mno.de. 3600 IN NSEC3 1 1 16 0947e8799e2a1326 vvg7t4t2mqchdinbkl7b4ms8ii9l6l35 A RRSIG
The easiest way to check this is to check if each NSEC3-Record matches any NSEC3PARAM.
This implies that all NSEC3 records matching a specific NSEC3PARAM have consistent salt and iterations.
The text was updated successfully, but these errors were encountered: