Skip to content

BIND logs "expected covering NSEC3, got an exact match"

After upgrading some auth-only servers from 9.18.29 to 9.18.30, our BIND instances started logging messages like these for multiple queries and multiple zones:

20-Sep-2024 12:57:52.071 dnssec: client @0x7faec5e59168 77.78.192.50#26171 (185.7.158.219.in-addr.arpa): view main: expected covering NSEC3, got an exact match

I don't actually know if this is a problem or not. I can reproduce this message locally on the server with the following query:

; <<>> DiG 9.18.30 <<>> +norec +dnssec @localhost ptr 185.7.158.219.in-addr.arpa
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29495
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;185.7.158.219.in-addr.arpa.    IN      PTR

;; AUTHORITY SECTION:
219.in-addr.arpa.       3600    IN      SOA     ns.apnic.net. read-txt-record-of-zone-first-dns-admin.apnic.net. 3006085814 7200 1800 604800 3600
219.in-addr.arpa.       3600    IN      RRSIG   SOA 13 3 3600 20241005065959 20240920052959 63763 219.in-addr.arpa. aWPnVAcnb42p72QoWYLLR+BZnxBHiBBzIIf2esISWmCRf13+vmIVYDAt rwGFyLNYCdNIPaacUMCW1YuqIbkIpw==
35pepqepd9ul7fki3jcs2vpvls8ih0gp.219.in-addr.arpa. 3600 IN NSEC3 1 0 0 B1F1582EE4C1C00E 35QI8BUPBI5P0QV1ELH0LFU5FFI7B6FV NS SOA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY
35pepqepd9ul7fki3jcs2vpvls8ih0gp.219.in-addr.arpa. 3600 IN RRSIG NSEC3 13 4 3600 20241005065959 20240920052959 63763 219.in-addr.arpa. dPjRcMthofV8wSv5xgtOpmRFvfla2ZHctTR26DqGlbXPaR4QeIuLLsa4 iT7uKTa+lGbNKmnb6JKrZuBH71Xgqg==
fh8mjjh4v2golfmkc74nr1e2hhvu0q13.219.in-addr.arpa. 3600 IN NSEC3 1 0 0 B1F1582EE4C1C00E FHAOH0KTDD3JC53N1N4N5IJN8J8R7OL2
fh8mjjh4v2golfmkc74nr1e2hhvu0q13.219.in-addr.arpa. 3600 IN RRSIG NSEC3 13 4 3600 20241005065959 20240920052959 63763 219.in-addr.arpa. XJtQQDKpZfDlzZLGnsnyIFIK/2p7qTuOmx2XnCNZdqSe7HYLG98pdXaQ L2vkYvF7uBtJ3tn0kpi6Et/f8s2aIA==
9n0gmqaqvn30poat850s18p0l1lvbcjr.219.in-addr.arpa. 3600 IN NSEC3 1 0 0 B1F1582EE4C1C00E 9NR6453MB01I95UD6V3BTVQ1BR05LBGD NS
9n0gmqaqvn30poat850s18p0l1lvbcjr.219.in-addr.arpa. 3600 IN RRSIG NSEC3 13 4 3600 20241005065959 20240920052959 63763 219.in-addr.arpa. xRFQsliMWzLGBCAW91fl1kIEqbeovzQVow1uxnKad/jD3jyhzJEXpQTC 5y7F1TY71yTWkHKXzx1c6v0M7lk9Mw==

The corresponding log entry is:

20-Sep-2024 13:38:42.186 dnssec: client @0x7fafc26dc168 ::1#50588 (185.7.158.219.in-addr.arpa): view main: expected covering NSEC3, got an exact match

The zone in question, 219.in-addr.arpa is an NSEC3 signed secondary zone, operated by APNIC. Our server carries more such zones operated by APNIC and signed with NSEC3. Please let me know if you need a copy of the zone.

@ondrej asked me to add a reference to #4460 (closed)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information