[ldns-users] ldns-signzone -p generates invalid NSEC3PARAM
Willem Toorop
Willem at NLnetLabs.nl
Fri Mar 2 12:46:48 UTC 2012
Absolutely!
Thanks for finding this bug. Committed in the subversion trunk.
-- Willem
Op 02-03-12 11:05, Peter van Dijk schreef:
> Hello,
>
> ldns-signzone currently sets flags=1 in NSEC3PARAM generation, when NSEC3 (the -p flag) is enabled.
> The issue is that RFC5155 does not count bits in the same direction as ldns_set_bit.
>
> This patch is one way of fixing it; another could be to change ldns_set_bit (it is not used in that many places).
>
> diff --git a/dnssec_sign.c b/dnssec_sign.c
> index 1d283bc..6c27682 100644
> --- a/dnssec_sign.c
> +++ b/dnssec_sign.c
> @@ -1280,7 +1280,7 @@ ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone,
> salt);
> /* always set bit 7 of the flags to zero, according to
> * rfc5155 section 11 */
> - ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(nsec3param, 1)), 7, 0);
> + ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(nsec3param, 1)), 0, 0);
> result = ldns_dnssec_zone_add_rr(zone, nsec3param);
> if (result != LDNS_STATUS_OK) {
> return result;
>
>
> Kind regards,
> Peter van Dijk
> _______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users
More information about the ldns-users
mailing list