[Opendnssec-user] auditor bug: NSEC includes SSHFP which is not in rrsets for git.foo.com.

Matthijs Mekking matthijs at nlnetlabs.nl
Wed Feb 8 07:39:29 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Paul,

I just tried it with my own zone, but the signer does not include the
SSHFP RRtype in the NSEC and so the auditor has nothing to complain about.

Which version are you using?

Best regards,
  Matthijs

On 02/08/2012 12:03 AM, Paul Wouters wrote:
> 
> 
> I found the following bug:
> 
> git.foo.com. IN A 1.2.3.4
> git.foo.com. IN SSHFP 1 1 AAACC04AA31DF4A04C11254FB6939A15C3A11B87
> 
> Sign the zone
> 
> edit the zone and replace the two above records with:
> 
> git.foo.com. IN CNAME www
> 
> sign the zone. ods-signer refuses because the auditor finds:
> 
> Feb  6 15:50:20 nohats ods-auditor[14700]: NSEC includes SSHFP which is
> not in rrsets for git.foo.com.
> 
> It should just fix the NSEC chain. Did the CNAME confuse it?
> 
> Paul
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPMiaxAAoJEA8yVCPsQCW594kIAI2/ors9Wvh93PzxXGRCiNkD
r4x7Q4mlRtlYR3RMQCe6e4zktSpUTgfloXUplb71d2jhhjRO5JE4DT9TghUbGTxF
4RqV86pOy1Svpggf5yoF+semAQbc5EdkHOdUtU6hBAQKg4gYGSnocyDn+xMdehh1
tCgGVjT5HyxCaxLtVp6a5WBb4PhpZ8r1zeJO9EV12uRrolXG1ugaJ40l6pKjEJlC
Vm4ZT7ePqjpYhgyQW6m1Sb6ryTGNgd2YtqqChF0fue+VQiRKxuYK5p1ititM7HpM
DWkHdLgITlb933jkpOeZk9KNIa/3ONh45iAbVLN+b3Dq8R7EvhN06G82h07YdFk=
=Q5J2
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list