[Opendnssec-develop] signature verification

Alexd at nominet.org.uk Alexd at nominet.org.uk
Fri Nov 27 11:23:37 UTC 2009

> So, I have added a signature check in the signer, right after libhsm
> returned it. This option adds about 19% latency on signature creation.
> Thus, we should make this option configurable.

I think, while there is a known bug in the signer which causes bad 
signatures to be returned, that this check should ALWAYS be on. Otherwise, 
OpenDNSSEC may sign zones with invalid signatures - and if the auditor is 
not enabled, then this will not be caught.

Of course, if the auditor is enabled, then the check is redundant.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091127/310146e7/attachment.htm>

More information about the Opendnssec-develop mailing list