[Opendnssec-develop] Re: [OpenDNSSEC] #217: KASP accepts algorithm 2 for NSEC3 records

OpenDNSSEC owner-dnssec-trac at kirei.se
Mon Feb 14 08:51:45 UTC 2011

#217: KASP accepts algorithm 2 for NSEC3 records
Reporter:  Sebastian Castro <sebastian@…>            |        Owner:  alex    
    Type:  defect                                    |       Status:  assigned
Priority:  minor                                     |    Component:  Signer  
 Version:  1.2.0                                     |   Resolution:          
Keywords:                                            |  

Comment (by matthijs):

 Replying to [comment:4 Sebastian Castro <sebastian@…>]:
 > Replying to [comment:1 matthijs]:
 > > I would say that ods-kaspcheck should return an error.
 > >
 > > The signer should error, but the bug is actually in ldns. Will fix it
 > ods-kaspcheck happily validates the policy as you can see in the
 attached file. The zone is signed, but it won't validate by any modern DNS

 Yes, ods-kaspcheck validated the policy. Alex has committed a fix in trunk
 (rev 4433) that fixes this.

 The signer bug is fixed in ldns, but that doesn't help OpenDNSSEC for now
 of course. We decided to fix the enforcer such that it will make sure not
 to accept policies that are not validated by ods-kaspcheck.

Ticket URL: <http://trac.opendnssec.org/ticket/217#comment:5>
OpenDNSSEC <http://www.opendnssec.org/>

More information about the Opendnssec-develop mailing list