[ldns-users] ldns-signzone -p generates invalid NSEC3PARAM

Peter van Dijk peter.van.dijk at netherlabs.nl
Fri Mar 2 10:05:37 UTC 2012


Hello,

ldns-signzone currently sets flags=1 in NSEC3PARAM generation, when NSEC3 (the -p flag) is enabled.
The issue is that RFC5155 does not count bits in the same direction as ldns_set_bit.

This patch is one way of fixing it; another could be to change ldns_set_bit (it is not used in that many places).

diff --git a/dnssec_sign.c b/dnssec_sign.c
index 1d283bc..6c27682 100644
--- a/dnssec_sign.c
+++ b/dnssec_sign.c
@@ -1280,7 +1280,7 @@ ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone,
                                                                         salt);
                                /* always set bit 7 of the flags to zero, according to
                                 * rfc5155 section 11 */
-                               ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(nsec3param, 1)), 7, 0);
+                               ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(nsec3param, 1)), 0, 0);
                                result = ldns_dnssec_zone_add_rr(zone, nsec3param);
                                if (result != LDNS_STATUS_OK) {
                                        return result;


Kind regards,
Peter van Dijk



More information about the ldns-users mailing list