[Opendnssec-user] NSEC3 w/ opt-out

Matthijs Mekking matthijs at NLnetLabs.nl
Fri Sep 18 08:23:44 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Antti,

The python signer engine evaluated the wrong Element, so it did not
discover the <OptOut/> settings.

Thanks for the catch, the following patch is applied in trunk (r1820).


Best regards,

Matthijs

Modified: trunk/OpenDNSSEC/signer/signer_engine/ZoneConfig.py
===================================================================
- --- trunk/OpenDNSSEC/signer/signer_engine/ZoneConfig.py	2009-09-17
13:50:52 UTC (rev 1819)
+++ trunk/OpenDNSSEC/signer/signer_engine/ZoneConfig.py	2009-09-17
14:23:04 UTC (rev 1820)
@@ -255,7 +255,7 @@
             self.denial_nsec = False
             self.denial_nsec3_ttl = Util.parse_duration(
                 Util.get_xml_data("parameters/TTL", nsec3_xml, True))
- -            if Evaluate("opt-out", nsec3_xml):
+            if Evaluate("OptOut", nsec3_xml):
                 self.denial_nsec3_optout = True
             self.denial_nsec3_algorithm = \
                 int(Util.get_xml_data("Hash/Algorithm", nsec3_xml))

Antti Ristimäki wrote:
> Hi,
> 
> I've been wondering, why the OpenDNSSEC signer produces NSEC3 records
> for every unsigned delegation, although my denial policy has the
> <OptOut/> option set. Currently, it generates NSEC3 records without the
> Opt-Out flag set for each and every delegation.
> 
> Is the signer working as intended or am I probably missing something...?
> 
> Cheers,
> 
> Antti
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJKs0ONAAoJEA8yVCPsQCW5ICEIAJ3Fhb2mYdcRS08fTJnamKBk
3ekOnnqG6k+oT8MU3B9iud+2VDgcP+7YOsX4V5au1wxOcKxSmHHUqewYhi7P46aq
uKqLO2BeywafH8qXDfhx+AHveHFAzHY/k5ZhaHwlCjSXTsHrZKiQbX9J/93MCvPT
+poQuDNP7U/PDqru15iCg5V/vyH0dPtetOtXleo/R/yfl6zXSzuwN71Ltii7VnDZ
h+ncmMZrsBtdpzvisC17h+/S3maLSi6rU6seLk99YmKxt0IYQ/+JhGWe5Om3Aa1h
uBj1p4SKHMZTQ/lO6XeIAsxOoHbw+ORAh7JB2rroqeLgNaAPGLyDk4DZ2D2XxOs=
=nxEK
-----END PGP SIGNATURE-----

More information about the Opendnssec-user mailing list