[ldns-users] ldns-signzone -p generates invalid NSEC3PARAM

Willem Toorop Willem at NLnetLabs.nl
Fri Mar 2 12:46:48 UTC 2012


Absolutely!

Thanks for finding this bug. Committed in the subversion trunk.

-- Willem

Op 02-03-12 11:05, Peter van Dijk schreef:
> Hello,
> 
> ldns-signzone currently sets flags=1 in NSEC3PARAM generation, when NSEC3 (the -p flag) is enabled.
> The issue is that RFC5155 does not count bits in the same direction as ldns_set_bit.
> 
> This patch is one way of fixing it; another could be to change ldns_set_bit (it is not used in that many places).
> 
> diff --git a/dnssec_sign.c b/dnssec_sign.c
> index 1d283bc..6c27682 100644
> --- a/dnssec_sign.c
> +++ b/dnssec_sign.c
> @@ -1280,7 +1280,7 @@ ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone,
>                                                                          salt);
>                                 /* always set bit 7 of the flags to zero, according to
>                                  * rfc5155 section 11 */
> -                               ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(nsec3param, 1)), 7, 0);
> +                               ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(nsec3param, 1)), 0, 0);
>                                 result = ldns_dnssec_zone_add_rr(zone, nsec3param);
>                                 if (result != LDNS_STATUS_OK) {
>                                         return result;
> 
> 
> Kind regards,
> Peter van Dijk
> _______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users




More information about the ldns-users mailing list