Knowledge

DNS_ERROR_NSEC3_NAME_COLLISION - 9129 (0x23A9)

Hash collision detected during NSEC3 signing. Specify a different user-provided salt, or use a randomly generated salt, and attempt to sign the zone again.

Updated: Feb 21, 2026

Technical Background

The DNS_ERROR_NSEC3_NAME_COLLISION error code (9129, 0x23A9) is encountered during the process of signing a DNS zone using NSEC3 (Next Security Steps 3) records. This error indicates that a hash collision has occurred while attempting to sign the zone.

Error Details

When performing DNSSEC (Domain Name System Security Extensions) zone signing, the DNS server uses cryptographic hashes to ensure the integrity and authenticity of domain name records. NSEC3 is an extension to NSEC that provides additional security by obfuscating the list of non-existent domain names in a zone.

During the signing process, each record's hash value is calculated using a salt value. If two different domain names produce the same hash value (a collision), this error occurs because it indicates a potential issue with the chosen salt or the input data itself.

Common Causes

  • Invalid parameter values: Incorrectly configured salt values can lead to collisions.
  • Incorrect object type: The operation is being performed on an incorrect type of DNS record, which may not support NSEC3 signing.
  • Exceeding limits: The number of domain names or the length of the salt value might exceed supported limits.

Real-World Context

This error typically occurs during the initial setup or maintenance of a DNS zone that requires DNSSEC. Administrators must ensure that all parameters are correctly configured to avoid such collisions.

Is This Error Critical?

The criticality of this error depends on the specific context in which it is encountered. While not immediately catastrophic, failing to resolve this issue can prevent the successful signing and validation of the DNS zone, leading to potential security vulnerabilities or operational disruptions.

How to Diagnose

  1. Review Operation Context: Ensure that the operation is being performed on a valid DNS zone.
  2. Validate Parameters: Check the salt value used in the NSEC3 signing process. A randomly generated salt might be necessary if a specific user-provided salt causes collisions.
  3. Confirm Object Types: Verify that all records are of the correct type and support NSEC3 signing.

How to Resolve

  1. Correct Parameter Usage: Adjust the salt value or use a different, randomly generated salt.
  2. Adjust Operation Context: Ensure that the operation is being performed in an appropriate context, such as during zone creation or update.
  3. Restore Data: If data corruption is suspected, restore from backups if available.

Developer Notes

Developers should be aware of the specific requirements and constraints when configuring NSEC3 signing for DNS zones. Proper validation and testing are crucial to avoid this error and ensure the security and integrity of the DNS zone.

Related Errors

  • DNS_ERROR_NSEC_NAME_COLLISION (9128, 0x23A8): Similar issue but without the NSEC3 context.
  • DNS_ERROR_ZONE_ALREADY_EXISTS (9145, 0x23E5): Indicates that a zone with the same name already exists.

FAQ

Q: What does DNS_ERROR_NSEC3_NAME_COLLISION mean?

A: It indicates a hash collision detected during NSEC3 signing. Ensure correct salt values and object types.

Q: How can I prevent this error?

A: Use appropriate salt values, validate parameters, and ensure correct object types before performing the operation.

Summary

The DNS_ERROR_NSEC3_NAME_COLLISION error is a specific issue encountered during DNSSEC zone signing. It requires careful parameter configuration to avoid hash collisions and maintain the security and integrity of the DNS zone. Proper diagnostic steps and resolution strategies are essential for effective management of this error.