[Opendnssec-user] NSEC3PARAM records bug
GMO Internet Yuya Nagai
yuya-nagai at gmo.jp
Thu Oct 8 06:14:58 UTC 2015
Hi,
I found a bug which inserts two NSEC3PARAM records in a signed zone.
It happens in all OpenDNSSEC 1.4 versions.
In order to reproduce test, I set Denial->NSEC3->Resalt=PT900S in kasp.xml for updating it in short period.
occurrence could be confirmed by an unspecified domain name each times.
This patch prevents the issue by removing an old NSEC3PARAM records .
--- signer/src/signer/zone.c.org 2015-10-05 12:08:00.055590173 +0000
+++ signer/src/signer/zone.c 2015-10-08 02:36:13.768982694 +0000
@@ -373,6 +373,12 @@
ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(rr, 1)), 7, 0);
zone->signconf->nsec3params->rr = rr;
}
+
+ rrset = zone_lookup_rrset(zone, zone->apex, LDNS_RR_TYPE_NSEC3PARAMS);
+ if (rrset) {
+ zone_del_rr(zone, LDNS_RR_TYPE_NSEC3PARAMS, 1);
+ }
+
ods_log_assert(zone->signconf->nsec3params->rr);
status = zone_add_rr(zone, zone->signconf->nsec3params->rr, 0);
if (status == ODS_STATUS_UNCHANGED) {
Best regards,
--
Nagai
More information about the Opendnssec-user
mailing list