[ldns-users] [validns-users] just started with validns - few problems

Willem Toorop willem at nlnetlabs.nl
Wed Feb 26 09:45:44 UTC 2014

op 25-02-14 17:46, Paul Wouters schreef:
> Although validns should probably also warn about nameservers being
> within the zone but not have an A/AAAA record. In this case, it is
> even true for _all_ nameservers so the zone is basically dead.
> ldns-verify-zone also does not complain about that. It should.


>> Running ldns-verify-zone on the same zone:
>> ldns-verify-zone test.org.zone.signed.bad
>> Error: no signatures for test.org.      NSEC3PARAM
>> There were errors in the zone
> I guess one could argue about whether NSEC3PARAM should be signed or
> not. IMHO, it should not even be in the zone at all, its a bind/isc hack
> that made it into an RFC :P Perhaps ldns-verify-zone should not give
> an error for that? Although I wonder which signers actually skip signing
> the NSEC3PARAM record. That a bind signer thing as isc.org's nsec3param
> also seems to miss the RRSIG record for NSEC3PARAM.

Hmmm... food for thought.  I'll discuss/look into it.

> However, ldns-verify-zone does give a bad error when running on the
> SOA-less zone:
> ~> ldns-verify-zone /tmp/test.org.zone.bad General memory error at 19

Ouch! That I've fixed immediately:

> So I've CC:ed the ldns list on this :)


-- Willem

More information about the ldns-users mailing list