[Opendnssec-develop] No RRSIG in .signed.sorted
Matthijs Mekking
matthijs at NLnetLabs.nl
Thu Mar 25 16:57:41 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rickard Bellgrim wrote:
>> Yes. The sorter drops RRSIGs and NSEC(3)s. Perhaps we should add a flag
>> to the quicksorter that it should only drop these records when the flag
>> isn't set?
>
> Hmm, but this is the same behavior as in v1.0. That there is no RRSIG in .signed.sorted
Ah ok, than indeed we don't keep signature when the policy changed.
>
>> Beware of the zone reader, it expects RRSIGs always to be *after* the
>> corresponding RRset
>
> The RRSIG is not always after the corresponding RRset.
>
> If the quicksorter would not drop the signatures, then any RR with a higher RR type number would get sorted after the RRSIG.
Yes, so if we go down that path, we must take that into account (either
change the zone_reader or adapt the sorting in the quicksorter)
Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBAgAGBQJLq5YDAAoJEA8yVCPsQCW5+fYH/ifZLIu0uWLU28EaVwATIR+o
xQkXTK202kT1F/iDNxWyKKlj7CAQo0yqqsGbobhDbFs3D7JseW8fplRKliSOuVzm
0KBzZI1yfFM6OC27Nii2Po6Qkb+i+6I3tqfFrXhNUNKcq3qd1dxzZOgW9qFo8Mzc
3tdiHLLBWpzu44Jc9pZty3FVsLwC46WKp3TLhHKMUhQJfqEIFYja4CXn9q17Awuv
1UdYCH8FXvOrzdfApmLY4K3TSB5pRICJTAPzAzCwzJ/hT0OAIsjOdAwjOHlvf45Z
U9tBAEf95T44ricUX1peCbMyhyop3LceTfiMAHC5zNphVdR2n/WNAA1yyj9LVvU=
=U2u4
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list