[Opendnssec-user] 1.0.0rc1 nsec3 signing bug, or some sort of newbie mistake
Dan Pritts
danno at internet2.edu
Tue Dec 8 14:00:33 UTC 2009
On Tue, Dec 08, 2009 at 08:57:29AM +0000, Alexd at nominet.org.uk wrote:
> Hi Dan -
>
> > I've set up opendnssec 1.0.0rc1 and softhsm 1.1.1 on an RHEL5 x64
> system,
> > and added an initial zone.
>
> Can I ask if you have updated ldns to 1.6.3?
I haven't; i had just built everything with 1.0.0b9 a couple days ago
so when i built 1.0.0rc1 yesterday i did not bother to check for updates
to the surrounding tools & libraries. Duh.
I'm sure this is my problem;
> > The zone is signed by the signer, but a bunch of strange records are
> > added
>
> These are the NSEC3 records. If you do not need to prevent zone walking,
> and your zone is not so large that opt-out is a requirement, then you are
> just as well served by NSEC (which does not require the "strange records"
> in the signed zone).
I was surprised that things looked so different between bind and
opendnssec's signed zones; As I go back to it, it looks like I had
configured bind to do NSEC, rather than NSEC3. I thought I'd done
NSEC3 with bind but as I look at it, it looks like I did NSEC there.
thanks for all the responses and for your work on the openddnssec tools.
danno
--
Dan Pritts, Sr. Systems Engineer
Internet2
office: +1-734-352-4953 | mobile: +1-734-834-7224
Winter 2010 ESCC/Internet2 Joint Techs
Hosted by the University of Utah - Salt Lake City, UT
January 31 - February 4, 2010
http://events.internet2.edu/2010/jt-slc/
More information about the Opendnssec-user
mailing list