Server seems to occasionally duplicate NSEC related records
Zone:
;; Zone dump (Knot DNS 2.1.0-dev)
nsec.example. 3600 SOA ns.nsec.example. root.nsec.example. 6 60 60 120 3600
nsec.example. 3600 NS ns.nsec.example.
nsec.example. 3600 A 127.0.0.3
nsec.example. 3600 AAAA ::3
nsec.example. 3600 MX 10 mail.nsec.example.
nsec.example. 3600 DNSKEY 256 3 13 HA6nKf+X7/mYkmmRO8qS2tIKT0B60P7COAiRs25xKs/rAP+tDtGWkrkGNQx2D3ajccC9whjRaKz2JVS3ItTFQg==
alias.nsec.example. 3600 CNAME test.nsec.example.
*.local.nsec.example. 3600 A 127.0.0.3
*.local.nsec.example. 3600 AAAA ::3
loop.nsec.example. 3600 CNAME loop.nsec.example.
mail.nsec.example. 3600 A 0.0.0.0
mail.nsec.example. 3600 AAAA ::
multiple.nsec.example. 3600 A 10.0.0.2
multiple.nsec.example. 3600 A 10.0.0.3
multiple.nsec.example. 3600 AAAA ::3
ns.nsec.example. 3600 A 127.0.0.3
ns.nsec.example. 3600 AAAA ::3
www.nsec.example. 3600 A 10.0.0.1
;; DNSSEC signatures
nsec.example. 3600 RRSIG A 13 2 3600 20151015124917 20150915124917 54343 nsec.example. hLlwRtPyFw5jqcq/myfOfxZ5wmILgJqQK5XbT8ufTaoHWMY9FqW5ws2K0BscozMThIq5wNguaCFVQA7RbSnSig==
nsec.example. 3600 RRSIG NS 13 2 3600 20151015124917 20150915124917 54343 nsec.example. 6s75LEuylIKAxqAbcPmmnkOMC7jxF6cPZGW5EFbhOOeR63ENyh642GE171WtJc7Ta4Y/PsnAT+/dTv8NSTDCHQ==
nsec.example. 3600 RRSIG SOA 13 2 3600 20151017113144 20150917113144 54343 nsec.example. /3orb3cezQbBCZsFP9rx6Col9AB2QxHQtzQ32BYe09MfN7YZxtTE/HZJaSXGWD3D7sLBdEkg8TGP8JPQtbW2yQ==
nsec.example. 3600 RRSIG MX 13 2 3600 20151015124917 20150915124917 54343 nsec.example. RYOsPgRNt9dpQvE7a40uzbClaM5/qg7jFvhUFAWBTFFiPOgKi2j/Y8vBwYsqrZW1+kHt14ZzriU5EzynaacfUQ==
nsec.example. 3600 RRSIG AAAA 13 2 3600 20151015124917 20150915124917 54343 nsec.example. koNVJQl4nhUS2AnGIZiVryY27ulxvclxdSCgqWH6hX8K5aKdB9HWLIe5sL5WuevxVA+D22IQ/d+dEWPXNS54yg==
nsec.example. 3600 RRSIG NSEC 13 2 3600 20151015124917 20150915124917 54343 nsec.example. STcV7Lc1a794i9DTgflI+d0N0KXTMws0G8VGc0Wo4tVI8lvFJcG1SFXW/jJaXkQstdZ2EM63fIs/u1hhBaV2Gw==
nsec.example. 3600 RRSIG DNSKEY 13 2 3600 20151015124917 20150915124917 54343 nsec.example. 965Mfxs1QtgxwzyhfxXyKyOZ9iT1DXpvypBBR10sLyjHe/w7cRhgcyevCza6K+2jJwHJBmbknc3Qhi+1dd+AJw==
alias.nsec.example. 3600 RRSIG CNAME 13 3 3600 20151015124917 20150915124917 54343 nsec.example. Xw+gy2iHH/u9s3zos3Gb2HzTHpEsNrpSWJz3kRm2Bmv47PRaPiH2ZFqsgn0RuND9nE5OLvSGXd3VwwuSlUMcgg==
alias.nsec.example. 3600 RRSIG NSEC 13 3 3600 20151015124917 20150915124917 54343 nsec.example. isUjSpDPDEYmSdbWzIpU7+m/Xa9S00TruxYv68FwRK1JVlta9OkUXRDbe4UMH9Mz8HsntYIa5NK+uCJr+i+o/g==
*.local.nsec.example. 3600 RRSIG A 13 3 3600 20151017113004 20150917113004 54343 nsec.example. 5hYzdWDetMJ5h9nrbgFBOQliFc+HH7QAsS32CzpXGHd2rpbr3OvzNDqPbvvWD/9BPJ8nVFLnrgh+xfBqtYhUzA==
*.local.nsec.example. 3600 RRSIG AAAA 13 3 3600 20151015124917 20150915124917 54343 nsec.example. IctfHYXAbynbAnpzFSiq25S/YWsfKIwHDWganHFlf/kQTYtQjJzjfVQYAWualq6rUOn1gIR0Qte2JeuB26DF6A==
*.local.nsec.example. 3600 RRSIG NSEC 13 3 3600 20151017113004 20150917113004 54343 nsec.example. iMTPQUvd9v3W5qOMGZaTHBwjDpnb14S3FwZ2B1ry4G5ZEQzNC/mLGoexXqY2zBLFhs37KKSrmmWQZMOonTcYNw==
loop.nsec.example. 3600 RRSIG CNAME 13 3 3600 20151015124917 20150915124917 54343 nsec.example. clTJFlF0LEXMcgJkuFfSnvEJQxGlaoKjimmeD/C+2fuFtYobKIF12jrmCT8dUG7WtAK9tPhZX65U3S6JhGhh3A==
loop.nsec.example. 3600 RRSIG NSEC 13 3 3600 20151015124917 20150915124917 54343 nsec.example. K//El+bqaDy/yaEMsH17LpJuQv3LH4WYMWYrl764zFGJe/Rn6yxyGChK5tnQRJkaYcB1xScwD92/7ykZKLekdw==
mail.nsec.example. 3600 RRSIG A 13 3 3600 20151015124917 20150915124917 54343 nsec.example. y0pA/SgzXoQRIskLQj82nct6VwmwXus6ivPqrWE4Sm2oL1NrBccq4nJLJ2ZOy8Q7RWuZGTYMwov7N9d0oIu7Xw==
mail.nsec.example. 3600 RRSIG AAAA 13 3 3600 20151015124917 20150915124917 54343 nsec.example. jrE94LCz5T4JHZ12vLUV4A7IUz+6DecVHMErXX2ynYcelJ8GpjoKM+pE8XHsZZys3Hxin53Nlhspxv5m2nhRsA==
mail.nsec.example. 3600 RRSIG NSEC 13 3 3600 20151015124917 20150915124917 54343 nsec.example. kM+Z63RDn377szwbOqPPinkH98BuCljY7hoeM8jGJcnQ90fA3NFi72Jgk/0T1bo4r0cNMn6lm9OUotawa6BOqw==
multiple.nsec.example. 3600 RRSIG A 13 3 3600 20151015124917 20150915124917 54343 nsec.example. WeCFjjJ2dF6XuZ43JWIBGW6MgFQ0d0uQG2LgMi+bUfQ7u4QG1W7tADHpBLOpqACFnHOg+eMhTnTvGhXxkqZrJA==
multiple.nsec.example. 3600 RRSIG AAAA 13 3 3600 20151015124917 20150915124917 54343 nsec.example. WAJphN5x3gOMsJ0INCyoHSzmjKfNGumtOU5H5cpiUCfOO4pj6Q1VT98L4GLIOc5i2TQTwDS8LWKo6j5xWrkElQ==
multiple.nsec.example. 3600 RRSIG NSEC 13 3 3600 20151015124917 20150915124917 54343 nsec.example. Xk9/i4wSnuzGiHz4FOIUpeLU8RqD95HyF4E+vZxIWxDh27pa3XF8TRgD2ygopkwqwqmK/Y3y7OlHzzDqrSYNgg==
ns.nsec.example. 3600 RRSIG A 13 3 3600 20151015124917 20150915124917 54343 nsec.example. oJpF87bjXR0DjIoNvEAo+Wu+p9jF+URX5lxi+g53OFCX1Q1lxqj5ujGdKOPsNAbKvTCsoFFW4tQyhCYJYD1HlQ==
ns.nsec.example. 3600 RRSIG AAAA 13 3 3600 20151015124917 20150915124917 54343 nsec.example. +1hyH8RvjDOFcB20OY2dqhkvBMNIvFg0ZhptiOTejQWvxBfjsyeUDjWptR6alHmSnz/F/HnM5WLMPp4yv7Do4w==
ns.nsec.example. 3600 RRSIG NSEC 13 3 3600 20151015124917 20150915124917 54343 nsec.example. vTSEgfyrqYdeSBT9AreN4fI4Xl1fkGvvzw/7rtcFzYhb8RwemWniWiG1qlJYmM9mn8shDWkUkM3DPaGgiyeIzw==
www.nsec.example. 3600 RRSIG A 13 3 3600 20151015124917 20150915124917 54343 nsec.example. F+3erpTS/tzTcuG3bagnk4sgDOqmI3yztFXJHtkqRU5EIFxKCEDtq8YccgJQ/P+DnyrcXhF5SQGpkuZz9h/JtA==
www.nsec.example. 3600 RRSIG NSEC 13 3 3600 20151015124917 20150915124917 54343 nsec.example. A8qhfxuDn8JOsacK0czIsEYHbiHZTGN8t5BHKDdmNjwr0kojSI9yKYt9LAAQ4p7cj02qRrzeiiNExoHL57AUmQ==
;; DNSSEC NSEC chain
nsec.example. 3600 NSEC alias.nsec.example. A NS SOA MX AAAA RRSIG NSEC DNSKEY
alias.nsec.example. 3600 NSEC *.local.nsec.example. CNAME RRSIG NSEC
*.local.nsec.example. 3600 NSEC loop.nsec.example. A AAAA RRSIG NSEC
loop.nsec.example. 3600 NSEC mail.nsec.example. CNAME RRSIG NSEC
mail.nsec.example. 3600 NSEC multiple.nsec.example. A AAAA RRSIG NSEC
multiple.nsec.example. 3600 NSEC ns.nsec.example. A AAAA RRSIG NSEC
ns.nsec.example. 3600 NSEC www.nsec.example. A AAAA RRSIG NSEC
www.nsec.example. 3600 NSEC nsec.example. A RRSIG NSEC
;; Written 51 records
;; Time 2015-09-17 13:31:44 CEST
When asking for MX aaa.local.nsec.example. then dig and kdig reply with:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 65099
;; Flags: qr aa rd; QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION:
;; aaa.local.nsec.example. IN MX
;; AUTHORITY SECTION:
nsec.example. 3600 IN SOA ns.nsec.example. root.nsec.example. 6 60 60 120 3600
*.local.nsec.example. 3600 IN NSEC loop.nsec.example. A AAAA RRSIG NSEC
*.local.nsec.example. 3600 IN NSEC loop.nsec.example. A AAAA RRSIG NSEC
nsec.example. 3600 IN RRSIG SOA 13 2 3600 20151017113144 20150917113144 54343 nsec.example. /3orb3cezQbBCZsFP9rx6Col9AB2QxHQtzQ32BYe09MfN7YZxtTE/HZJaSXGWD3D7sLBdEkg8TGP8JPQtbW2yQ==
*.local.nsec.example. 3600 IN RRSIG NSEC 13 3 3600 20151017113004 20150917113004 54343 nsec.example. iMTPQUvd9v3W5qOMGZaTHBwjDpnb14S3FwZ2B1ry4G5ZEQzNC/mLGoexXqY2zBLFhs37KKSrmmWQZMOonTcYNw==
*.local.nsec.example. 3600 IN RRSIG NSEC 13 3 3600 20151017113004 20150917113004 54343 nsec.example. iMTPQUvd9v3W5qOMGZaTHBwjDpnb14S3FwZ2B1ry4G5ZEQzNC/mLGoexXqY2zBLFhs37KKSrmmWQZMOonTcYNw==
;; Received 501 B
;; Time 2015-09-21 15:34:09 CEST
;; From 127.0.0.3@53(UDP) in 0.0 ms
It seems that the problem is related when gathering records for the wild card no-data response. The server must include records to prove two things:
- the wild card does not match the type
- there is no closer match In the example both situations can be proven by a single NSEC record ant that is the duplicated one.
I've observed the behaviour on a version taken from master (fbc2e64b).