[ldns-users] LDNS and opt-out NSEC3 validation

Willem Toorop Willem at NLnetLabs.nl
Tue Apr 24 21:35:44 UTC 2012


Hi John,

The issue is now fixed (as of revision 3668) in trunk and will be in the
next ldns release (1.6.13).

Thanks again,

-- Willem

Op 24-04-12 22:30, Willem Toorop schreef:
> Hi John,
> 
> I just had a look at it, and it looks like the second paragraph of
> section 8.6 of rfc5155 (dealing with Opt-Out NSEC3's for DS's) is not
> (yet) implemented! I will dive into it and let you know when it is
> implemented in trunk.
> Thanks for finding this shortcoming.
> 
> Willem
> 
> 
> 
> Op 23-04-12 19:02, John Barnitz schreef:
>> I am using LDNS to  query the net zone for a DS record of a domain,
>> for example, sample.net. The net zone is opt-out, so I get back NSEC3
>> records and NOERROR. I am using ldns_dnssec_verify_denial_nsec3 to
>> validate the response. I always get back
>> LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED as a result code. Can anyone
>> help me determine what is wrong, or is there a different function I
>> should be using? Let me know if you need any more information.
>>
>> Thanks,
>> John Barnitz
>> _______________________________________________
>> ldns-users mailing list
>> ldns-users at open.nlnetlabs.nl
>> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users
> _______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users



More information about the ldns-users mailing list