Skip to content

zone unsigned while re-salting

A while ago I set up a test server to generate a lot of IXFR traffic; it has a very large zone, and a script that loops forever running rndc signing -nsec3param to change the salt, generating a new NSEC3 chain every time the previous one finishes building.

I've just noticed that the server doesn't behave the way I expected during re-salting. When the new chain starts building, the old chain's NSEC3PARAM is deleted immediately, and a new one isn't created until the new chain is complete. In a zone with half a million records, that takes hours. During that time, with no NSEC or NSEC3PARAM, the server treats the zone as if it were transitioning to unsigned. It doesn't return RRSIGs in any response except zone transfers or explicit RRSIG queries. It also hides DNSKEY in type=ANY queries.

I had thought the old chain wouldn't be removed until the new one was fully in place. If the zone is small, the new chain builds quickly enough to avoid any problems, but for a big zone there would be validation failures during the transition.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information