Invalid negative response (NSEC3) after IXFR

Hi

We have come across an issue regarding the negative response for a
zone with few NSEC3, after processing an IXFR where all NSEC3 RRs are
removed and then added (unchanged). We managed to reproduce this issue on a zone with two NSEC3 RRs (Opt-Out)

Given the following zone:

```
rio.			172800 IN SOA a.dns.br. hostmaster.registro.br. (
				2021099481 ; serial
				1800       ; refresh (30 minutes)
				900        ; retry (15 minutes)
				604800     ; expire (1 week)
				900        ; minimum (15 minutes)
				)
rio.			21600 IN DNSKEY	256 3 13 (
				sByNPB9zeYNUG9tqS4J+jYmg+62mCT/SILgmKZLa8ZUo
				XLZEDWBSAZv8+e4nEinsvPPtQ15DaWm0vA2oz1v7CA==
				) ; ZSK; alg = ECDSAP256SHA256 ; key id = 11785
rio.			21600 IN DNSKEY	257 3 13 (
				jBWA/GVSitmW8erjfZc6plKFXq2j8OOR5FR+3qgAz8nM
				8yW4+8egKfNOfV1ynbGKAzOzyiC3xuGm7x3RfPXmNg==
				) ; KSK; alg = ECDSAP256SHA256 ; key id = 14600
rio.			172800 IN NSEC3PARAM 1 0 10 5006EC564A930C4C53DB
rio.			172800 IN NS a.dns.br.
rio.			172800 IN NS b.dns.br.
rio.			172800 IN NS c.dns.br.
rio.			172800 IN NS d.dns.br.
rio.			172800 IN NS e.dns.br.
rio.			172800 IN NS f.dns.br.
rio.			21600 IN RRSIG DNSKEY 13 1 21600 (
				20210615000000 20210310000000 14600 rio.
				VhfBfqx+zOXwch2WyBTtCxX2HHPLqeIgEXs5sj9Pj+1n
				k83zGz84ON72G6uhN9DqaAa3BUUZE3f3j4wSJ9bjzA== )
rio.			172800 IN RRSIG	SOA 13 1 172800 (
				20210424200219 20210409190219 11785 rio.
				ZSDKfxbNUhQXI2bdcbPHlsotG0tWdH3F3D939LBcAyqI
				cUKfvtxkgkgEH63uj9KEE1YN9YWD1+b1wUOHDtR8Yw== )
rio.			172800 IN RRSIG	NSEC3PARAM 13 1 172800 (
				20210424200219 20210409190219 11785 rio.
				MBSMfyrW0rmJawhAWGB5NlpQkv3ZINBgTHC1pTz7eD0y
				MYP16KbL3TTTtAR9Gaaejk7UStP250twiXAQZDTLFA== )
rio.			172800 IN RRSIG	NS 13 1 172800 (
				20210424200219 20210409190219 11785 rio.
				PEkrG9YkGEeV1WCuDuY3xIJ7feV9DEsEaCKhHIGG8p+z
				jzsfSppL2h1Gy/yF/THG9vPa7S5LU+s0X1YCNsVyjw== )
        
brt.rio.		3600 IN	NS ns2.brtrio.com.
brt.rio.		3600 IN	NS ns1.brtrio.com.
nic.rio.		3600 IN	NS ns.dns.br.
nic.rio.		3600 IN	NS ns2.dns.br.
nic.rio.		3600 IN	DS 45166 13 2 (
				84CC4DC83A94C808CF0A030DD07F5F2B1AA1B5517CE9
				99677E9A44FCC90E1000 )
nic.rio.		3600 IN	RRSIG DS 13 2 3600 (
				20210424200219 20210409190219 11785 rio.
				z0lZFQlHpjvfqqaHtD9ZGN5/BMqk40wY8PGUV9LhaG73
				WFHRgzIAI+GHU4qZs7pUwBJ0xptNeZo3LHe8uvn2ag== )
        
1ne8em00atu3f9c9o2pgcc1fb96mjohv.rio. 900 IN NSEC3 1 1 10 5006EC564A930C4C53DB (
				KCSK2LKI1E9EJUOR0K1H6F3J9GU12FEG
				NS DS RRSIG )
1ne8em00atu3f9c9o2pgcc1fb96mjohv.rio. 900 IN RRSIG NSEC3 13 2 900 (
				20210424200219 20210409190219 11785 rio.
				M/Y+0mZY7Qw/1gmtoI4e/DpFIKXUdlDVAlEAU7o4YY3C
				jvrp2XHCDZNNw+cqWl+ui232DfjF/hS/MZ/LmyUdkw== )
kcsk2lki1e9ejuor0k1h6f3j9gu12feg.rio. 900 IN NSEC3 1 1 10 5006EC564A930C4C53DB (
				1NE8EM00ATU3F9C9O2PGCC1FB96MJOHV
				NS SOA RRSIG DNSKEY NSEC3PARAM )
kcsk2lki1e9ejuor0k1h6f3j9gu12feg.rio. 900 IN RRSIG NSEC3 13 2 900 (
				20210424200219 20210409190219 11785 rio.
				q0NfjbHJoFq/NXZOClskXF8LVJQEN59SvnmHlQx53Prf
				oA1c36eo7ApZ5oH2NTXetywLp6m97WG8uyMz/Uw4QQ== )
```

when queried for `brt.rio NS +dnssec`, we get the response (Note that
both NSEC3 are present):

```
;; QUESTION SECTION:
;brt.rio.		IN NS

;; AUTHORITY SECTION:
brt.rio.		3600 IN	NS ns2.brtrio.com.
brt.rio.		3600 IN	NS ns1.brtrio.com.
kcsk2lki1e9ejuor0k1h6f3j9gu12feg.rio. 900 IN NSEC3 1 1 10 5006EC564A930C4C53DB (
				1NE8EM00ATU3F9C9O2PGCC1FB96MJOHV
				NS SOA RRSIG DNSKEY NSEC3PARAM )
kcsk2lki1e9ejuor0k1h6f3j9gu12feg.rio. 900 IN RRSIG NSEC3 13 2 900 (
				20210424200219 20210409190219 11785 rio.
				q0NfjbHJoFq/NXZOClskXF8LVJQEN59SvnmHlQx53Prf
				oA1c36eo7ApZ5oH2NTXetywLp6m97WG8uyMz/Uw4QQ== )
1ne8em00atu3f9c9o2pgcc1fb96mjohv.rio. 900 IN NSEC3 1 1 10 5006EC564A930C4C53DB (
				KCSK2LKI1E9EJUOR0K1H6F3J9GU12FEG
				NS DS RRSIG )
1ne8em00atu3f9c9o2pgcc1fb96mjohv.rio. 900 IN RRSIG NSEC3 13 2 900 (
				20210424200219 20210409190219 11785 rio.
				M/Y+0mZY7Qw/1gmtoI4e/DpFIKXUdlDVAlEAU7o4YY3C
				jvrp2XHCDZNNw+cqWl+ui232DfjF/hS/MZ/LmyUdkw== )

```

after processing the following IXFR (note that both NSEC3 are removed then added back again with no changes):

```
rio.			172800 IN SOA a.dns.br. hostmaster.registro.br. (
				2021099482 ; serial
				1800       ; refresh (30 minutes)
				900        ; retry (15 minutes)
				604800     ; expire (1 week)
				900        ; minimum (15 minutes)
				)
rio.			172800 IN SOA a.dns.br. hostmaster.registro.br. (
				2021099481 ; serial
				1800       ; refresh (30 minutes)
				900        ; retry (15 minutes)
				604800     ; expire (1 week)
				900        ; minimum (15 minutes)
				)
kcsk2lki1e9ejuor0k1h6f3j9gu12feg.rio. 900 IN RRSIG NSEC3 13 2 900 (
				20210424200219 20210409190219 11785 rio.
				q0NfjbHJoFq/NXZOClskXF8LVJQEN59SvnmHlQx53Prf
				oA1c36eo7ApZ5oH2NTXetywLp6m97WG8uyMz/Uw4QQ== )
kcsk2lki1e9ejuor0k1h6f3j9gu12feg.rio. 900 IN NSEC3 1 1 10 5006EC564A930C4C53DB (
				1NE8EM00ATU3F9C9O2PGCC1FB96MJOHV
				NS SOA RRSIG DNSKEY NSEC3PARAM )
nic.rio.		3600 IN	RRSIG DS 13 2 3600 (
				20210424200219 20210409190219 11785 rio.
				z0lZFQlHpjvfqqaHtD9ZGN5/BMqk40wY8PGUV9LhaG73
				WFHRgzIAI+GHU4qZs7pUwBJ0xptNeZo3LHe8uvn2ag== )
rio.			172800 IN RRSIG	SOA 13 1 172800 (
				20210424200219 20210409190219 11785 rio.
				ZSDKfxbNUhQXI2bdcbPHlsotG0tWdH3F3D939LBcAyqI
				cUKfvtxkgkgEH63uj9KEE1YN9YWD1+b1wUOHDtR8Yw== )
rio.			172800 IN RRSIG	NSEC3PARAM 13 1 172800 (
				20210424200219 20210409190219 11785 rio.
				MBSMfyrW0rmJawhAWGB5NlpQkv3ZINBgTHC1pTz7eD0y
				MYP16KbL3TTTtAR9Gaaejk7UStP250twiXAQZDTLFA== )
rio.			172800 IN RRSIG	NS 13 1 172800 (
				20210424200219 20210409190219 11785 rio.
				PEkrG9YkGEeV1WCuDuY3xIJ7feV9DEsEaCKhHIGG8p+z
				jzsfSppL2h1Gy/yF/THG9vPa7S5LU+s0X1YCNsVyjw== )
1ne8em00atu3f9c9o2pgcc1fb96mjohv.rio. 900 IN RRSIG NSEC3 13 2 900 (
				20210424200219 20210409190219 11785 rio.
				M/Y+0mZY7Qw/1gmtoI4e/DpFIKXUdlDVAlEAU7o4YY3C
				jvrp2XHCDZNNw+cqWl+ui232DfjF/hS/MZ/LmyUdkw== )
1ne8em00atu3f9c9o2pgcc1fb96mjohv.rio. 900 IN NSEC3 1 1 10 5006EC564A930C4C53DB (
				KCSK2LKI1E9EJUOR0K1H6F3J9GU12FEG
				NS DS RRSIG )
rio.			172800 IN SOA a.dns.br. hostmaster.registro.br. (
				2021099482 ; serial
				1800       ; refresh (30 minutes)
				900        ; retry (15 minutes)
				604800     ; expire (1 week)
				900        ; minimum (15 minutes)
				)
emporiodosoculos.rio.	3600 IN	NS ns01.one.com.
emporiodosoculos.rio.	3600 IN	NS ns02.one.com.
scenalaguna.rio.	3600 IN	NS ns02.one.com.
scenalaguna.rio.	3600 IN	NS ns01.one.com.
volpi.rio.		3600 IN	NS ns01.one.com.
volpi.rio.		3600 IN	NS ns02.one.com.
kcsk2lki1e9ejuor0k1h6f3j9gu12feg.rio. 900 IN RRSIG NSEC3 13 2 900 (
				20210424200456 20210409190456 11785 rio.
				jHyxWA8CpTpvWIl4/pOmb+sLvx4h0Hs+SAnR1BzVktz5
				pMJfjBhnAmu1RC1gZVrP6XrYQ1gO3w7ODxXYmjGtxQ== )
kcsk2lki1e9ejuor0k1h6f3j9gu12feg.rio. 900 IN NSEC3 1 1 10 5006EC564A930C4C53DB (
				1NE8EM00ATU3F9C9O2PGCC1FB96MJOHV
				NS SOA RRSIG DNSKEY NSEC3PARAM )
1ne8em00atu3f9c9o2pgcc1fb96mjohv.rio. 900 IN RRSIG NSEC3 13 2 900 (
				20210424200456 20210409190456 11785 rio.
				2fneXy3c6EQNJuZ+FAYAsTT237tC4b5fYplGXS2KlxpO
				KHD7+Ujv+I0Ip9qUwJuHodwHoPqOJ3vtc+YJgnH+5g== )
1ne8em00atu3f9c9o2pgcc1fb96mjohv.rio. 900 IN NSEC3 1 1 10 5006EC564A930C4C53DB (
				KCSK2LKI1E9EJUOR0K1H6F3J9GU12FEG
				NS DS RRSIG )
rio.			172800 IN RRSIG	NS 13 1 172800 (
				20210424200456 20210409190456 11785 rio.
				r9hax8kaGlGJbemPCLqq08LMKGvp2CXr924cyUATDPAx
				F1GLtoe1Ws/7AvZR4MOn5OzhLO9tgHLx77XCSdHNEg== )
rio.			172800 IN RRSIG	SOA 13 1 172800 (
				20210424200456 20210409190456 11785 rio.
				2/9N0qRTassIh4cclCLyiwc11JNW6MwQUMWxAba8AzKU
				8bKAoW+hdSLcv+6pMt9kvI/8A+4+rQ+D5f72kL8F+Q== )
rio.			172800 IN RRSIG	NSEC3PARAM 13 1 172800 (
				20210424200456 20210409190456 11785 rio.
				CU+VJw2riFnTyY1OxJV6BIO2TX9AprtXSS4JU5/225js
				TjGOso6/+L56csn4ONqXNXKDacTQUtq2MoZKOvzcjg== )
nic.rio.		3600 IN	RRSIG DS 13 2 3600 (
				20210424200456 20210409190456 11785 rio.
				fgGTdBo+idrgbtQnxFGdq3nZTeMupyHvo7FHRRlzxTlV
				kte4MbEbRf+a8m8SNZJSNNbjnZxrjIKkF1lQjuUaTA== )
sobrepisos.rio.		3600 IN	NS ns01.one.com.
sobrepisos.rio.		3600 IN	NS ns02.one.com.
rio.			172800 IN SOA a.dns.br. hostmaster.registro.br. (
				2021099482 ; serial
				1800       ; refresh (30 minutes)
				900        ; retry (15 minutes)
				604800     ; expire (1 week)
				900        ; minimum (15 minutes)
				)

```

Even though the IXFR seems to be processed successfully, the same
query for `brt.rio NS +dnssec` now returns:

```
;; QUESTION SECTION:
;brt.rio.		IN NS

;; AUTHORITY SECTION:
brt.rio.		3600 IN	NS ns2.brtrio.com.
brt.rio.		3600 IN	NS ns1.brtrio.com.
kcsk2lki1e9ejuor0k1h6f3j9gu12feg.rio. 900 IN NSEC3 1 1 10 5006EC564A930C4C53DB (
				1NE8EM00ATU3F9C9O2PGCC1FB96MJOHV
				NS SOA RRSIG DNSKEY NSEC3PARAM )
kcsk2lki1e9ejuor0k1h6f3j9gu12feg.rio. 900 IN RRSIG NSEC3 13 2 900 (
				20210424200456 20210409190456 11785 rio.
				jHyxWA8CpTpvWIl4/pOmb+sLvx4h0Hs+SAnR1BzVktz5
				pMJfjBhnAmu1RC1gZVrP6XrYQ1gO3w7ODxXYmjGtxQ== )
```

With only one NSEC3, the negative response fails to validate. This
seems to be directly related to the processing of the IXFR. If an AXFR
is forced or the server is restarted, it starts responding correctly.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Invalid negative response (NSEC3) after IXFR #171

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Invalid negative response (NSEC3) after IXFR #171

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions