[Opendnssec-develop] Testing for RC3, found a new zone to test with
Matthijs Mekking
matthijs at NLnetLabs.nl
Thu Jan 21 11:14:35 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
It looks like the trailing dots are already in the unsigned zone file,
so from a ldns perspective that looks good.
I tested it on my machine, and I did not get these errors.
I did get signature verification failure for the DNSKEY. It seems that
if there is a DNSKEY with a different TTL than //Keys/TTL, it is assumed
a different RRset. A fix is committed soon.
Also, I got an error that the NAPTR record was not the same as in the
output zone, but I think is a false report from the auditor:
Input:
all.rr.binary.org. IN NAPTR 100 10 "" ""
"/urn:cid:.+@([^\.]+\.)(.*)$/\2/i" .
Output (.finalized):
all.rr.binary.org. IN NAPTR 100 10 "" ""
"/urn:cid:.+@([^.]+.)(.*)$/2/i" .
Auditor believes output was:
all.rr.binary.org. IN NAPTR 100 10 "" ""
"/urn:cid:.+@[^.]+..*$/2/i .
Matthijs
Rickard Bellgrim wrote:
> Hi
>
> The ldns 1.6.4 has been released. So now I started to test everything
> once again. My normal zones just works great, but I found one extra zone
> in our SVN to test with, all.rr.binary.org.
>
> The Auditor did not like the result. But it looks like ldns is doing it
> right. The records are present in the signed zone, but with trailing
> dots in the rdata (which dnsruby seems to believe that they shouldn't).
>
> 3: Output zone does not contain non-DNSSEC RRSet : NS,
> \\.all.rr.binary.org. 60 IN NS ns1.example.com.\000
> 3: Output zone does not contain non-DNSSEC RRSet : TXT,
> selector._domainkey.all.rr.binary.org. 60 IN TXT
> "v=DKIM1; n=Use=20DKIM;
> p=AwEAAZfbYw8SffZwsbrCLbC+JLErREIF6Yfe9aqsa1Pz6tpGWiLxm9rSL6/YoBvNP3UWX91YDF0JMo6lhu3UIZjITvIwDhx+RJYko9vLzaaJKXGf3ygy6z+deWoZJAV1lTY0Ltx9genboe88CSCHw9aSLkh0obN9Ck8R6zAMYR19ciM/;
> t=s"
> 3: Output zone does not contain non-DNSSEC RRSet : SRV,
> _http._tcp.all.rr.binary.org. 60 IN SRV 0 5 80
> ns1.example.com
> 3: Output zone does not contain non-DNSSEC RRSet : MINFO,
> all.a{ll.all.rr.binary.org. 60 IN MINFO
> minfo-rmailbx.example.com minfo-emailbx.example.com
> 3: Output zone does not contain non-DNSSEC RRSet : PTR,
> foo.all.rr.binary.org. 60 IN PTR \000\\.ns1.all.rr.org
> 3: Output zone does not contain non-DNSSEC RRSet : CNAME,
> \032.foo\..all.rr.binary.org. 60 IN CNAME \\\\\..ns1.all.rr.org
> 3: Output zone does not contain non-DNSSEC RRSet : DNAME,
> frobozz.all.rr.binary.org. 60 IN DNAME
> frobozz-division.acme.example
> 3: Output zone does not contain non-DNSSEC RRSet : MB,
> nall.all.rr.binary.org. 60 IN MB mb-madname.\000.example.com
> 3: Output zone does not contain non-DNSSEC RRSet : A,
> ns1\..all.rr.binary.org. 60 IN A 10.1.0.52
> 3: Output zone does not contain non-DNSSEC RRSet : DS,
> sub.all.rr.binary.org. 60 IN DS 12345 DSA 1 (
> 123456789ABCDEF67890123456789ABCDEF67890 )
>
> So it looks to me that the problem is in dnsruby. We can have a release
> of RC3, but perhaps stating that the auditor has some problems with
> binary domain names.
>
> Or what do you say Matthijs?
>
> // Rickard
>
- ------------------------------------------------------------------------
_______________________________________________
Opendnssec-develop mailing list
Opendnssec-develop at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBAgAGBQJLWDcWAAoJEA8yVCPsQCW5JhMH/3zTqdCARbVZahEnKJnbgwbQ
0Q1/K1fdHPdBv7IeEAVl4rtuTnYKc6Awwhx7DsYhQqZsnYmNvi+Wm5ymRj4mMjTQ
wCuQn6gkCYv/71B1siJTMuUkNIjeq9GWWpC4p3Hs35pHJBzTLjoF0eUthMJX2ez5
jMK017OyP010E2i8DuWFD8wxBFJzCxyWAJN3gC2RB9wjOeo7gp/GI9z647YPStsy
p57StRh4UUtJ70PJ6k0uEZYNEi1eMd/HHd9DjhITajjCBEB15xKPHPecywiF6gs9
WVKeD/2d5q9OGuKw3pcqFixpuisMmPaKNIO8EpaBPW2iZd0QtKsmKvqdjCO4XvY=
=2YyI
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list