NSEC records aren't signed with both configured algorithms during NSEC3->NSEC transition
This behavior has been observed in nsec3 system test: https://gitlab.isc.org/isc-projects/bind9/-/jobs/3223579. It seems to be an intermittent failure that isn't reliably reproducible.
I:nsec3:verify DNSSEC for zone nsec3-to-rsasha1-ds.kasp (110)
I:nsec3:error: DNSSEC verify failed for zone nsec3-to-rsasha1-ds.kasp
I:nsec3:failedThe dnssec-verify failed with:
Verifying the zone using the following algorithms:
- RSASHA1
- ECDSAP256SHA256
Missing ZSK for algorithm RSASHA1
Missing ZSK for algorithm ECDSAP256SHA256
No correct ECDSAP256SHA256 signature for a.nsec3-to-rsasha1-ds.kasp NSEC
No correct ECDSAP256SHA256 signature for b.nsec3-to-rsasha1-ds.kasp NSEC
No correct ECDSAP256SHA256 signature for c.nsec3-to-rsasha1-ds.kasp NSEC
The zone is not fully signed for the following algorithms:
RSASHA1
ECDSAP256SHA256
.
DNSSEC completeness test failed.The signatures for the NSEC records weren't added for all algorithms. E.g. a.nsec3-to-rsasha1-ds.kasp. NSEC:
$ grep 'add re-sign.*a.nsec3-to-rsasha1-ds.kasp.*RRSIG.*NSEC ' ns3/named.run
09-Mar-2023 14:24:10.622 add re-sign a.nsec3-to-rsasha1-ds.kasp. 300 IN RRSIG NSEC 5 3 300 20230319032047 20230309132410 22352 nsec3-to-rsasha1-ds.kasp. PW2zoqereBVN2WjDe9+HdKMvupIP/QYxysrPfRmplfR+D/sxYklgWwI9 J6wCMyscR9xG8eKajn8c6z/9pxvVrGvMyP9eSmFWA/a0JWPw4a+yzttH wiMVBXqDA3E/V7q3K1P9NCTzVcR+XK+yrN/7JfraHQghTuE8beOCwsLR 2RohfIYb7VNlrnIo1B2mvIp0z7bPVeVqajy2V0z5SITK8HiJgbjZ5Jca lV6COMo2FVyxhNB9iI+RxI4r/JJdPU6OFBjK1GzvoUnDRVfz03izSBzg BIDNgpWhWyfe6P9vdWXZRUB8TPStHXW1W8CXubOXg97mtCTWKhloi9o+ ruMeBg==Interestingly enough, the apex NSEC does have both signatures:
$ grep 'add re-sign.* nsec3-to-rsasha1-ds.kasp.*RRSIG.*NSEC ' ns3/named.run
09-Mar-2023 14:24:10.626 add re-sign nsec3-to-rsasha1-ds.kasp. 300 IN RRSIG NSEC 5 2 300 20230321155735 20230309132410 22352 nsec3-to-rsasha1-ds.kasp. ZScI7V66B0KmV5CkRIba/4D1l0ZVdG+XAocya2/4XY8nIYNAg8zU3EOH mOPsb4QwbmBKfc5qVJasAdpWeV4FedqN8yaF1iwtekzL82ual3Sm2GSy DfVNpFYbp1Mg+bERgUe3EFMSujmOpdF8m5YjIkWSN8kmVCuwRgc0DR34 8kQT9aJ27S8S4D/1b9MO5MSTvhkBoYShr894f4x5X5WJypqYi1xUdCeB X+3gtjqhn0/A/TnP+m83iQ1L9MoHQS0p1LovAsC6K9nWswp3IE55a11D ld3YGJt8g09uuS4BiofHFLlb7fSi1U9LQMiXVXhpztrjfQk7ma1OWv6u GY+gpg==
09-Mar-2023 14:24:10.626 add re-sign nsec3-to-rsasha1-ds.kasp. 300 IN RRSIG NSEC 13 2 300 20230321155735 20230309132410 47231 nsec3-to-rsasha1-ds.kasp. s9PtE0eacEjEML1dfL48KUBXGj8aISaetvPwPUcAD6U7+prNNWTTW536 8+QvIlM4t74aXWFe3PnsFH3QaGoi0g==
...And for non-NSEC records, both signatures are there as well, e.g. a.nsec3-to-rsasha1-ds.kasp. A:
grep 'add re-sign.*a.nsec3-to-rsasha1-ds.kasp.*RRSIG.*A ' ns3/named.run
09-Mar-2023 14:24:05.222 add re-sign a.nsec3-to-rsasha1-ds.kasp. 300 IN RRSIG A 13 3 300 20230317145326 20230309132405 47231 nsec3-to-rsasha1-ds.kasp. 6TJmT7qJJIqQYg6ILbRWekcrlIZX67qHVq1jysMf2vopoCR9avLbaogq 2rtyMEQJ0JhtFg2taRI17EFgMjX4+A==
09-Mar-2023 14:24:10.622 add re-sign a.nsec3-to-rsasha1-ds.kasp. 300 IN RRSIG A 5 3 300 20230319032047 20230309132410 22352 nsec3-to-rsasha1-ds.kasp. hM0G1NY/V8rudj+suz86tOK+aTWkicF2KyipE9ao2dQFGX4F/IpUtLPd Akn6mnlC4G6PNjch1c1evWzPjynxnGuO8jv0QjC8sl/F9UHTANDq7o36 P1Orn/n9POcBs9OKk0GQNwfMdUrIzPxJuFfEsJzzNZi3fA/5GLvN9tBn vQqzx9+t99v64wk+O+Cno4uYAMMjz+wR6JKOWAqUJ6JT0hLQ+sNamXTU yRGBaCZf5gNbz5VZWUsuxv9FT/gWEc6X/mwEia8TkAwlP+VAvoiL8iDo Azma2qOUWiSM+n4/Lr9xl+9He9DHy6Cpjk5AVF4W4wTiES3gxwKuS06q 98CqwQ==