[Opendnssec-develop] Re: [OpenDNSSEC] #217: KASP accepts algorithm 2 for NSEC3 records
OpenDNSSEC
owner-dnssec-trac at kirei.se
Mon Feb 14 08:51:45 UTC 2011
#217: KASP accepts algorithm 2 for NSEC3 records
-----------------------------------------------------+----------------------
Reporter: Sebastian Castro <sebastian@…> | Owner: alex
Type: defect | Status: assigned
Priority: minor | Component: Signer
Version: 1.2.0 | Resolution:
Keywords: |
-----------------------------------------------------+----------------------
Comment (by matthijs):
Replying to [comment:4 Sebastian Castro <sebastian@…>]:
> Replying to [comment:1 matthijs]:
> > I would say that ods-kaspcheck should return an error.
> >
> > The signer should error, but the bug is actually in ldns. Will fix it
there.
>
> ods-kaspcheck happily validates the policy as you can see in the
attached file. The zone is signed, but it won't validate by any modern DNS
server.
Yes, ods-kaspcheck validated the policy. Alex has committed a fix in trunk
(rev 4433) that fixes this.
The signer bug is fixed in ldns, but that doesn't help OpenDNSSEC for now
of course. We decided to fix the enforcer such that it will make sure not
to accept policies that are not validated by ods-kaspcheck.
--
Ticket URL: <http://trac.opendnssec.org/ticket/217#comment:5>
OpenDNSSEC <http://www.opendnssec.org/>
OpenDNSSEC
More information about the Opendnssec-develop
mailing list