Corrupt NSEC DATA on Yosemite. Yeah, Me Neither.

October 23, 2014 by Gabe | [mmd] |

After moving to the released version of Yosemite from one of the many GM candidates1 I started seeing a console warning that was hard to research. I saw it a lot. Hundreds of times a minute this message would appear in the console:

It was hard to research because there appears to be very little mention of the terminology outside of security research. Yeah, that started to make me concerned. I unfolded my tinfoil hat and rolled up my sleeves.

I thought there was a chance my router had been compromised. I have no time for a new research project and if I did this would not be the one I would choose. So I started a process of elimination that eventually provided a solution.

I use OpenDNS as a DNS provider on some of my computers. My Verizon FiOS router uses their own DNS which is sometimes good but mostly not and can not be changed. Of course, my WiFi hotspots just get their DNS from my Verizon router, because why wouldn't you get your DNS from your ISP router like a sane person.

Changing all of my AirPort and Express and other WiFi hotspots to use OpenDNS fixed the console warnings. I suspect that the various Macs, even when connected over Ethernet, are still connecting to WiFi for things like Handoff with iOS 8. When they do that, they don't get a warm and fuzzy feeling about differences with DNS between themselves, the hotspot and the router.

Whatever the cause, I don't think I care anymore. I just wanted a console that shows something other than "CORRUPT NSEC RDATA". For example, DNSResolver messages.

  1. I believe GM now means GM Candidate. GM Candidate is the new term for beta and beta now mean alpha, while alpha now means a drawing on a piece of paper.