[Opendnssec-develop] Testing for RC3, found a new zone to test with

Matthijs Mekking matthijs at NLnetLabs.nl
Thu Jan 21 11:14:35 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It looks like the trailing dots are already in the unsigned zone file,
so from a ldns perspective that looks good.

I tested it on my machine, and I did not get these errors.

I did get signature verification failure for the DNSKEY. It seems that
if there is a DNSKEY with a different TTL than //Keys/TTL, it is assumed
a different RRset. A fix is committed soon.

Also, I got an error that the NAPTR record was not the same as in the
output zone, but I think is a false report from the auditor:

Input:

all.rr.binary.org. IN NAPTR 100 10 "" ""
 "/urn:cid:.+@([^\.]+\.)(.*)$/\2/i" .

Output (.finalized):

all.rr.binary.org. IN NAPTR 100 10 "" ""
 "/urn:cid:.+@([^.]+.)(.*)$/2/i" .

Auditor believes output was:

all.rr.binary.org. IN NAPTR 100 10 "" ""
 "/urn:cid:.+@[^.]+..*$/2/i .



Matthijs

Rickard Bellgrim wrote:
> Hi
>  
> The ldns 1.6.4 has been released. So now I started to test everything
> once again. My normal zones just works great, but I found one extra zone
> in our SVN to test with, all.rr.binary.org.
>  
> The Auditor did not like the result. But it looks like ldns is doing it
> right. The records are present in the signed zone, but with trailing
> dots in the rdata (which dnsruby seems to believe that they shouldn't).
>  
> 3: Output zone does not contain non-DNSSEC RRSet : NS,
> \\.all.rr.binary.org.    60      IN      NS      ns1.example.com.\000
> 3: Output zone does not contain non-DNSSEC RRSet : TXT,
> selector._domainkey.all.rr.binary.org.  60      IN      TXT    
> "v=DKIM1; n=Use=20DKIM;
> p=AwEAAZfbYw8SffZwsbrCLbC+JLErREIF6Yfe9aqsa1Pz6tpGWiLxm9rSL6/YoBvNP3UWX91YDF0JMo6lhu3UIZjITvIwDhx+RJYko9vLzaaJKXGf3ygy6z+deWoZJAV1lTY0Ltx9genboe88CSCHw9aSLkh0obN9Ck8R6zAMYR19ciM/;
> t=s"



> 3: Output zone does not contain non-DNSSEC RRSet : SRV,
> _http._tcp.all.rr.binary.org.   60      IN      SRV     0 5 80
> ns1.example.com
> 3: Output zone does not contain non-DNSSEC RRSet : MINFO,
> all.a{ll.all.rr.binary.org.   60      IN      MINFO  
> minfo-rmailbx.example.com minfo-emailbx.example.com
> 3: Output zone does not contain non-DNSSEC RRSet : PTR,
> foo.all.rr.binary.org.  60      IN      PTR     \000\\.ns1.all.rr.org
> 3: Output zone does not contain non-DNSSEC RRSet : CNAME,
> \032.foo\..all.rr.binary.org. 60      IN      CNAME   \\\\\..ns1.all.rr.org
> 3: Output zone does not contain non-DNSSEC RRSet : DNAME,
> frobozz.all.rr.binary.org.    60      IN      DNAME  
> frobozz-division.acme.example
> 3: Output zone does not contain non-DNSSEC RRSet : MB,
> nall.all.rr.binary.org.  60      IN      MB      mb-madname.\000.example.com
> 3: Output zone does not contain non-DNSSEC RRSet : A,
> ns1\..all.rr.binary.org.  60      IN      A       10.1.0.52
> 3: Output zone does not contain non-DNSSEC RRSet : DS,
> sub.all.rr.binary.org.   60      IN      DS      12345 DSA 1 (
> 123456789ABCDEF67890123456789ABCDEF67890 )
>  
> So it looks to me that the problem is in dnsruby. We can have a release
> of RC3, but perhaps stating that the auditor has some problems with
> binary domain names.
>  
> Or what do you say Matthijs?
>  
> // Rickard
>  

- ------------------------------------------------------------------------

_______________________________________________
Opendnssec-develop mailing list
Opendnssec-develop at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJLWDcWAAoJEA8yVCPsQCW5JhMH/3zTqdCARbVZahEnKJnbgwbQ
0Q1/K1fdHPdBv7IeEAVl4rtuTnYKc6Awwhx7DsYhQqZsnYmNvi+Wm5ymRj4mMjTQ
wCuQn6gkCYv/71B1siJTMuUkNIjeq9GWWpC4p3Hs35pHJBzTLjoF0eUthMJX2ez5
jMK017OyP010E2i8DuWFD8wxBFJzCxyWAJN3gC2RB9wjOeo7gp/GI9z647YPStsy
p57StRh4UUtJ70PJ6k0uEZYNEi1eMd/HHd9DjhITajjCBEB15xKPHPecywiF6gs9
WVKeD/2d5q9OGuKw3pcqFixpuisMmPaKNIO8EpaBPW2iZd0QtKsmKvqdjCO4XvY=
=2YyI
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list