[PR #2793] [MERGED] fix(dnssec): Include NSEC3PARAM in the covered RRSet list #3322

New issue

Closed

opened 2026-03-16 11:37:23 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 11:37:23 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/2793
Author: @tinou98
Created: 2/21/2025
Status: ✅ Merged
Merged: 2/23/2025
Merged by: @djc

Base: main ← Head: sign_nsec3param

📝 Commits (1)

f7ac14a fix(dnssec): Include NSEC3PARAM in the covered RRSet list

📊 Changes

2 files changed (+202 additions, -11 deletions)

View changed files

📝 crates/server/src/store/in_memory/authority.rs (+1 -0)
📝 tests/integration-tests/tests/integration/catalog_tests.rs (+201 -11)

📄 Description

When using NSEC3, the server returns a NSEC3 entry with a list of covered RRSet. But, as the NSEC3PARAM entry is dynamically generated, it's missing from the list.

When testing a zone with zonemaster, it complains with :

NSEC3 record for the zone apex with incorrect type list. Fetched from name servers "...".

In the detailed test procedure, this fails (6.5.3.5.2.1) :

If the type list in the NSEC record matches at least one of the following criteria then add name server IP to the NSEC Incorrect Type List set:

At least one of SOA, NS, DNSKEY, NSEC or RRSIG is missing.

At least one of NSEC3PARAM or NSEC3 is included.

Source: DNSSEC10

This PR initializes the record_types list with the NSEC3PARAM RR that will be added at the end of the function, so it's included in the RRSet list.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/2793 **Author:** [@tinou98](https://github.com/tinou98) **Created:** 2/21/2025 **Status:** ✅ Merged **Merged:** 2/23/2025 **Merged by:** [@djc](https://github.com/djc) **Base:** `main` ← **Head:** `sign_nsec3param` --- ### 📝 Commits (1) - [`f7ac14a`](https://github.com/hickory-dns/hickory-dns/commit/f7ac14a0d57c83576c662b0b70c537d0435afd30) fix(dnssec): Include NSEC3PARAM in the covered RRSet list ### 📊 Changes **2 files changed** (+202 additions, -11 deletions) <details> <summary>View changed files</summary> 📝 `crates/server/src/store/in_memory/authority.rs` (+1 -0) 📝 `tests/integration-tests/tests/integration/catalog_tests.rs` (+201 -11) </details> ### 📄 Description When using NSEC3, the server returns a `NSEC3` entry with a list of covered RRSet. But, as the `NSEC3PARAM` entry is dynamically generated, it's missing from the list. When testing a zone with [zonemaster](https://www.zonemaster.net), it complains with : > NSEC3 record for the zone apex with incorrect type list. Fetched from name servers "...". In the detailed test procedure, this fails (6.5.3.5.2.1) : >If the type list in the NSEC record matches at least one of the following criteria then add name server IP to the *NSEC Incorrect Type List* set: > > 1. At least one of SOA, NS, DNSKEY, NSEC or RRSIG is missing. > 1. At least one of NSEC3PARAM or NSEC3 is included. > > *Source: [DNSSEC10](https://doc.zonemaster.net/latest/specifications/tests/DNSSEC-TP/dnssec10.html)* This PR initializes the `record_types` list with the `NSEC3PARAM` RR that will be added at the end of the function, so it's included in the RRSet list. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>