[Opendnssec-user] auditor bug: NSEC includes SSHFP which is not in rrsets for git.foo.com.
Paul Wouters
paul at nohats.ca
Tue Feb 7 23:03:16 UTC 2012
I found the following bug:
git.foo.com. IN A 1.2.3.4
git.foo.com. IN SSHFP 1 1 AAACC04AA31DF4A04C11254FB6939A15C3A11B87
Sign the zone
edit the zone and replace the two above records with:
git.foo.com. IN CNAME www
sign the zone. ods-signer refuses because the auditor finds:
Feb 6 15:50:20 nohats ods-auditor[14700]: NSEC includes SSHFP which is not in rrsets for git.foo.com.
It should just fix the NSEC chain. Did the CNAME confuse it?
Paul
More information about the Opendnssec-user
mailing list