Paul Wouters
2009-Jul-04 02:38 UTC
[nsd-users] zones with a DS record without corresponding NS records
Hi, I just ran into a little bug where I had a zone that contained a DS record for a delegation, but mistakenly did not include any NS records for that delegation. ldns-read-zone sees no problem with this zone and nsd zonec compiler compiled this zone without an error. I guess zonec does not perform any checks, but ldns-readzone should probably through an error. Bind's named-checkzone passed the zone as valid, however bind's dnssec-signzone refused to sign this zone. I'm not sure what the proper behaviour should be in this case. Though I would prefer that named-checkzone would not OK anything that dnssec-signzone refuses to sign. Paul
Matthijs Mekking
2009-Jul-06 09:37 UTC
[nsd-users] zones with a DS record without corresponding NS records
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul Wouters wrote:> > Hi, > > I just ran into a little bug where I had a zone that contained a DS > record for a delegation, but mistakenly did not include any NS records > for that delegation. > > ldns-read-zone sees no problem with this zone and nsd zonec compiler > compiled this zone without an error. I guess zonec does not perform any > checks, but ldns-readzone should probably through an error.zonec is indeed not smart enough to detect this mismatch. It works on a garbage in, garbage out basis. I think ldns-verify-zone should cover this, not ldns-read-zone.> > Bind's named-checkzone passed the zone as valid, however bind's > dnssec-signzone refused to sign this zone. > > I'm not sure what the proper behaviour should be in this case. Though > I would prefer that named-checkzone would not OK anything that > dnssec-signzone refuses to sign.+1> > Paul > _______________________________________________ > nsd-users mailing list > nsd-users at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/nsd-users-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJKUcXtAAoJEA8yVCPsQCW5C3AH/3TR7AdHNN+gS6PI0ZwNSPBV T7CnanYQd4ES9t1KRJUIyg1Mxplj1Swr/qiwzIUsGcdoI6jBiBxfsOtuN6LRxAJV 6MQWab+vZqVMRVXduZKZifvCqimxd9fr2zb0hB/yDIppR4mYA3IssFGNyUhDu24n XB3L7Z28fNtNDoe2hhULDC6sPXUjPQVrYNgdhQyVXPLNkz/gn2f/vVtz3Q5YZI5g eE3DzINwuNuv2Qf5zx0T0Sx2aCzjscoZq2rrDUBrn8mhHfCPKxfvOQpu5CQw/+kH LVOOHA0PD2u6E6ylumYjjiLSoMWRMBHbCBmxM88AklK3Wcty9C91qEVq2hP5EVM=Qhf4 -----END PGP SIGNATURE-----