Fw: [Opendnssec-develop] Re: [OpenDNSSEC] #60: Auditor croaks on APL RR

Alexd at nominet.org.uk Alexd at nominet.org.uk
Thu Dec 10 10:49:45 UTC 2009 

Hi - 

Olaf has asked for the auditor to ignore types it does not support.

I've got code which does this (only changes about 20 lines of code) - but 
I'm not sure it will definitely work in all corner cases (e.g. unsigned 
file has type number, signed file has type name).

Do people think this should be supported?

If so, should it go in 1.0 or 1.1?

Thanks,


Alex.

----- Forwarded by Alex Dalitz/Nominet on 10/12/2009 09:55 -----

Olaf Kolkman <olaf at NLnetLabs.nl> 
Sent by: opendnssec-develop-bounces at lists.opendnssec.org
09/12/2009 16:09

To
"OpenDNSSEC" <owner-dnssec-trac at kirei.se>
cc
opendnssec-develop at lists.opendnssec.org
Subject
Re: [Opendnssec-develop] Re: [OpenDNSSEC] #60: Auditor croaks on APL    RR







On Dec 9, 2009, at 4:59 PM, OpenDNSSEC wrote:

> #60: Auditor croaks on APL RR
> 
------------------------------+---------------------------------------------
> Reporter:  olaf@?             |       Owner:  alex 
>    Type:  defect             |      Status:  assigned
> Priority:  major              |   Component:  Auditor 
> Version:  trunk              |    Keywords: 
> 
------------------------------+---------------------------------------------
> 
> Comment(by alex):
> 
> I should point out that all types are supported if they are written in
> RFC3597 unknown type format (e.g. TYPE42, etc.). A quick fix would be to
> rewrite the APL record as a TYPE42 record.
> 
> -

yes, but no. The reason for the APL being in the format it is was because 
of parsing/wire compatibility testing.

More to the point the underlying request is to make the auditor more 
resilient against its library not supporting certain types when the signer 
library does support those types.

I believe that the auditor should in those cases just skip the tests 
and/or do some heuristic checks. If it comes to the type bitmap of the 
NSEC, bad luck, you cannot check the signature, but you can check 
signature parameters. 

The auditor is there to help you, to prevent errors. Not to block you from 
getting things done. 
Obviously, strong warnings are OK.

--Olaf


________________________________________________________ 

Olaf M. Kolkman                        NLnet Labs
                                       Science Park 140, 
http://www.nlnetlabs.nl/               1098 XG Amsterdam

_______________________________________________
Opendnssec-develop mailing list
Opendnssec-develop at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091210/7f0962ee/attachment.htm>

More information about the Opendnssec-develop mailing list