[Opendnssec-develop] signature verification
Alexd at nominet.org.uk
Alexd at nominet.org.uk
Fri Nov 27 11:23:37 UTC 2009
> So, I have added a signature check in the signer, right after libhsm
> returned it. This option adds about 19% latency on signature creation.
> Thus, we should make this option configurable.
I think, while there is a known bug in the signer which causes bad
signatures to be returned, that this check should ALWAYS be on. Otherwise,
OpenDNSSEC may sign zones with invalid signatures - and if the auditor is
not enabled, then this will not be caught.
Of course, if the auditor is enabled, then the check is redundant.
Alex.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091127/310146e7/attachment.htm>
More information about the Opendnssec-develop
mailing list