[Pdns-users] PowerDNS 3.0: Can't deal with multi-part NSEC mappings yet

[Peter van Dijk]

Hello Frederik,

On Sep 25, 2013, at 10:49 , Fredrik Roubert wrote:

> My ISP is running a slave DNS service, using PowerDNS 3.0 as this is the
> version included in Ubuntu 12.04 LTS. I've already read this post, about
> DNSSEC in 3.0 being "explicitly	deprecated":
> 
> http://mailman.powerdns.com/pipermail/pdns-users/2012-July/009099.html

Yes. This is not the only issue you will run into, and other issues may be more subtle.

> Transferring this DNSSEC signed zone, however, leads my ISP's PowerDNS
> to log error messages like this:
> 
> Sep 25 10:01:07 ns5 pdns[27445]: Unable to parse record during incoming AXFR of 'roubert.net' (MOADNSException): Can't deal with multi-part NSEC mappings yet
> 
> So this is clearly something in PowerDNS 3.0 that was fixed in 3.1:
> 
> http://wiki.powerdns.com/trac/changeset/2590
> http://doc.powerdns.com/html/changelog.html#changelog-auth-3-1
> 
> But what does it mean? What exactly is it in my configuration that makes
> PowerDNS 3.0 unable to handle it? Is it something I could change to make
> PowerDNS 3.0 play along as a slave server?


The only reason we've seen these multi-part mappings in practice is when BIND stores auto-signing metadata in private records with high TYPE numbers. You may be able to get rid of these by changing your BIND configuration - I'm not sure.

If that's not it, check your zone file for any lines containing TYPE in uppercase, or any entry over 255 in http://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4

Kind regards,
-- 
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20130925/e6a5ae92/attachment-0001.sig>