[Opendnssec-develop] Re: [OpenDNSSEC] #60: Auditor croaks on APL RR
Olaf Kolkman
olaf at NLnetLabs.nl
Wed Dec 9 16:09:57 UTC 2009
On Dec 9, 2009, at 4:59 PM, OpenDNSSEC wrote:
> #60: Auditor croaks on APL RR
> ------------------------------+---------------------------------------------
> Reporter: olaf@… | Owner: alex
> Type: defect | Status: assigned
> Priority: major | Component: Auditor
> Version: trunk | Keywords:
> ------------------------------+---------------------------------------------
>
> Comment(by alex):
>
> I should point out that all types are supported if they are written in
> RFC3597 unknown type format (e.g. TYPE42, etc.). A quick fix would be to
> rewrite the APL record as a TYPE42 record.
>
> -
yes, but no. The reason for the APL being in the format it is was because of parsing/wire compatibility testing.
More to the point the underlying request is to make the auditor more resilient against its library not supporting certain types when the signer library does support those types.
I believe that the auditor should in those cases just skip the tests and/or do some heuristic checks. If it comes to the type bitmap of the NSEC, bad luck, you cannot check the signature, but you can check signature parameters.
The auditor is there to help you, to prevent errors. Not to block you from getting things done.
Obviously, strong warnings are OK.
--Olaf
________________________________________________________
Olaf M. Kolkman NLnet Labs
Science Park 140,
http://www.nlnetlabs.nl/ 1098 XG Amsterdam
More information about the Opendnssec-develop
mailing list