[ldns-users] [validns-users] just started with validns - few problems
Willem Toorop
willem at nlnetlabs.nl
Wed Feb 26 09:45:44 UTC 2014
op 25-02-14 17:46, Paul Wouters schreef:
> Although validns should probably also warn about nameservers being
> within the zone but not have an A/AAAA record. In this case, it is
> even true for _all_ nameservers so the zone is basically dead.
>
> ldns-verify-zone also does not complain about that. It should.
Roger.
>> Running ldns-verify-zone on the same zone:
>>
>> ldns-verify-zone test.org.zone.signed.bad
>> Error: no signatures for test.org. NSEC3PARAM
>> There were errors in the zone
>
> I guess one could argue about whether NSEC3PARAM should be signed or
> not. IMHO, it should not even be in the zone at all, its a bind/isc hack
> that made it into an RFC :P Perhaps ldns-verify-zone should not give
> an error for that? Although I wonder which signers actually skip signing
> the NSEC3PARAM record. That a bind signer thing as isc.org's nsec3param
> also seems to miss the RRSIG record for NSEC3PARAM.
Hmmm... food for thought. I'll discuss/look into it.
> However, ldns-verify-zone does give a bad error when running on the
> SOA-less zone:
>
> ~> ldns-verify-zone /tmp/test.org.zone.bad General memory error at 19
Ouch! That I've fixed immediately:
http://git.nlnetlabs.nl/ldns/commit/?h=develop&id=8c25800e
> So I've CC:ed the ldns list on this :)
Merci!
-- Willem
More information about the ldns-users
mailing list