[Opendnssec-user] NSEC3PARAM records bug
GMO Internet Yuya Nagai
yuya-nagai at gmo.jp
Tue Oct 13 06:54:25 UTC 2015
Hi Yuri,
> Are you able to share your full configuration? I still am not able to
> reproduce the bug. And I really like to verify it first.
Perhaps I think this problem is bug which occurs only in certain configurations.
In my environment, NSEC3PARAM record remains when use the DNS to Input adapter of zone.
I'll add the ODS configuration files for reproduce test.
install: (use mysql backend)
./configure --prefix=/ods --with-database-backend=mysql
In: conf.xml
--------
<?xml version="1.0" encoding="UTF-8"?>
<Configuration><RepositoryList><Repository name="SoftHSM">
<Module>/ods/lib/libsofthsm.so</Module>
<TokenLabel>ods</TokenLabel><PIN>****</PIN><SkipPublicKey/>
</Repository></RepositoryList><Common><Logging>
<Verbosity>3</Verbosity><Syslog><Facility>local0</Facility></Syslog>
</Logging><PolicyFile>/ods/etc/kasp.xml</PolicyFile>
<ZoneListFile>/ods/etc/zonelist.xml</ZoneListFile>
</Common><Enforcer><Privileges><User>root</User><Group>root</Group>
</Privileges><Datastore><MySQL><Host port="3306">127.0.0.1</Host>
<Database>ods</Database><Username>****</Username>
<Password>****</Password></MySQL></Datastore>
<Interval>PT3600S</Interval></Enforcer><Signer><Privileges>
<User>root</User><Group>root</Group></Privileges>
<WorkingDirectory>/ods/tmp</WorkingDirectory>
<WorkerThreads>4</WorkerThreads><Listener><Interface>
<Address>127.0.0.2</Address><Port>53</Port></Interface>
</Listener></Signer></Configuration>
--------
In: addns.xml
--------
<?xml version="1.0" encoding="UTF-8"?>
<Adapter><DNS><TSIG><Name>secret.example.com</Name>
<Algorithm>hmac-md5</Algorithm>
<Secret>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=</Secret>
</TSIG><Inbound><RequestTransfer><Remote><Address>127.0.0.1</Address>
<Key>secret.example.com</Key></Remote></RequestTransfer>
<AllowNotify><Peer><Prefix>127.0.0.0/24</Prefix></Peer></AllowNotify>
</Inbound><Outbound><ProvideTransfer><Peer>
<Prefix>127.0.0.0/24</Prefix><Key>secret.example.com</Key></Peer>
</ProvideTransfer><Notify><Remote><Address>127.0.0.1</Address>
</Remote></Notify></Outbound></DNS></Adapter>
--------
In: kasp.xml
--------
<?xml version="1.0" encoding="UTF-8"?>
<KASP><Policy name="default"><Description>a</Description><Signatures>
<Resign>PT900S</Resign><Refresh>P1D</Refresh><Validity>
<Default>P7D</Default><Denial>P7D</Denial></Validity>
<Jitter>PT12H</Jitter><InceptionOffset>PT3600S</InceptionOffset>
</Signatures><Denial><NSEC3><Resalt>PT900S</Resalt><Hash>
<Algorithm>1</Algorithm><Iterations>5</Iterations><Salt length="8"/>
</Hash></NSEC3></Denial><Keys><TTL>PT3600S</TTL>
<RetireSafety>PT3600S</RetireSafety>
<PublishSafety>PT3600S</PublishSafety><Purge>P14D</Purge><KSK>
<Algorithm length="2048">8</Algorithm><Lifetime>P365D</Lifetime>
<Repository>SoftHSM</Repository></KSK><ZSK>
<Algorithm length="1024">8</Algorithm>
<Lifetime>P90D</Lifetime><Repository>SoftHSM</Repository></ZSK>
</Keys><Zone><PropagationDelay>PT3600S</PropagationDelay><SOA>
<TTL>PT3600S</TTL><Minimum>PT3600S</Minimum><Serial>unixtime</Serial>
</SOA></Zone><Parent><PropagationDelay>PT3600S</PropagationDelay>
<DS><TTL>PT3600S</TTL></DS><SOA><TTL>PT3600S</TTL>
<Minimum>PT3600S</Minimum></SOA></Parent></Policy></KASP>
--------
In: zonelist.xml
--------
<?xml version="1.0" encoding="UTF-8"?>
<ZoneList><Zone name="example.com"><Policy>default</Policy>
<SignerConfiguration>/ods/signconf/example.com.xml
</SignerConfiguration><Adapters><Input>
<Adapter type="DNS">/ods/etc/addns.xml</Adapter></Input><Output>
<Adapter type="File">/ods/signed/example.com.signed</Adapter>
</Output></Adapters></Zone></ZoneList>
--------
Best regards,
--
Nagai
More information about the Opendnssec-user
mailing list