[Opendnssec-develop] Re: [OpenDNSSEC] #246: Kaspcheck validates kasp.xml when NSEC3 algorithm is 0
OpenDNSSEC
owner-dnssec-trac at kirei.se
Wed Jun 29 07:53:19 UTC 2011
#246: Kaspcheck validates kasp.xml when NSEC3 algorithm is 0
--------------------------------+-------------------------------------------
Reporter: Nick van den Heuvel | Owner: rb
Type: defect | Status: new
Priority: minor | Component: Unknown
Version: 1.3.0 | Resolution:
Keywords: 1.3.0rc3 |
--------------------------------+-------------------------------------------
Comment (by Nick van den Heuvel):
When running ods-ksmutil setup I get this error:
-----------------------------------------------------
root at elmo-desktop:/etc/opendnssec# ods-ksmutil setup
*WARNING* This will erase all data in the database; are you sure? [y/N] y
SQLite database set to: /var/opendnssec/kasp.db
fixing permissions on file /var/opendnssec/kasp.db
zonelist filename set to /etc/opendnssec/zonelist.xml.
kasp filename set to /etc/opendnssec/kasp.xml.
Repository SoftHSM found
No Maximum Capacity set.
RequireBackup NOT set; please make sure that you know the potential
problems of using keys which are not recoverable
/etc/opendnssec/conf.xml validates
/etc/opendnssec/kasp.xml validates
ERROR: NSEC3 Hash algorithm is 0 but should be 1
ods-kaspcheck returned an error, please check your policy
Failed to update policies
SETUP FAILED
-----------------------------------------------------
kasp.xml validates with ods-kaspcheck. Is this how is should work?
-----------------------------------------------------
root at elmo-desktop:/etc/opendnssec# ods-kaspcheck
/etc/opendnssec/conf.xml validates
/etc/opendnssec/kasp.xml validates
ERROR: NSEC3 Hash algorithm is 0 but should be 1
-----------------------------------------------------
Conclusion, signing a zone with this kasp.xml is not possible (setup
fails). Though kasp.xml still validates, should this be changed?
--
Ticket URL: <http://trac.opendnssec.org/ticket/246#comment:4>
OpenDNSSEC <http://www.opendnssec.org/>
OpenDNSSEC
More information about the Opendnssec-develop
mailing list