[Opendnssec-user] Difference between BIND and ODS signed output

Matthijs Mekking matthijs at nlnetlabs.nl
Mon Oct 29 15:26:34 UTC 2012 

Hi,

On 10/26/2012 05:01 PM, elsif wrote:
> Unsigned zone:
> lac-megantic.qc.ca.                IN NS    ns1.com2media.ca.
>                                    IN NS    ns2.com2media.ca.
> ville.lac-megantic.qc.ca.          IN NS    ns1.com2media.ca.
>                                    IN NS    ns2.com2media.ca.
> 
> Signed zone (ODS):
> lac-megantic.qc.ca.     86400   IN      NS      ns1.com2media.ca.
> lac-megantic.qc.ca.     86400   IN      NS      ns2.com2media.ca.
> 
> 
> Signed zone (BIND):
> lac-megantic.qc.ca.     86400   IN NS   ns1.com2media.ca.
>                         86400   IN NS   ns2.com2media.ca.
> ville.lac-megantic.qc.ca. 86400 IN NS   ns1.com2media.ca.
>                         86400   IN NS   ns2.com2media.ca.
> 
> It appears ODS is ignoring the 4th level when the 3rd level exists
> (presumably this behaviour would be different if the NS RRset differs,
> but I've yet to confirm that).
> 
> I didn't expect zones to disappear from the signed zone, in any case,
> and makes our post-signing validation checks fail.
> 
> Can this be considered a bug?

Well, it was done on purpose, as this is data you are not authoritative
for. I'm not sure which text in which RFC convinced me to do so, but if
you operate on files this shouldn't matter much: The data may not be
served anyway. I believe it doesn't do harm, so we can remove the check
so that all occluded data (not only glue) remain in the signed zone file.

RFC 5936 though says that for zone transfers, the occluded names should
be present. So I think this needs to be fixed for the DNS adapters.

Best regards,
  Matthijs


> 
> Thanks,
> 
> -Jake
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20121029/2036c0de/attachment.bin>

More information about the Opendnssec-user mailing list