trouble with dnssec signed zone on secondary.
ted at NLnetLabs.nl
Thu Jan 6 08:51:31 UTC 2005
[Quoting =?ISO-8859-1?Q?M=E5ns_Nilsson?=, on Jan 6, 2:13, in "trouble with dnssec ..."]
> This is only somewhat related to nsd, but someone else must have hit it.=20
> I am having trouble AXFRing a signed zone -- named-xfer v.latest does not
> recognise the file format and writes a zone file that zonec barfs on.=20
Yes, this is a known problem of BIND-8.
There is a fix (appended) to prevent the BIND-8 named-xfer writing
out a zonefile with syntax errors, but this will still not produce
the correct DNSSEC zonefile, because BIND-8 does not understand the
special handling of the DS.
We have an NSD version of named-xfer, but it is not yet released (it
will soon be after quality assurance checks).
PS. the reply from Mark Andrews on my bug report containing a ix.
Subject: Re: [ISC-Bugs #12674] AXFR error: failure on ignoring multiple line RRs
From: "Mark Andrews via RT" <bind8-bugs at isc.org>
Reply-To: bind8-bugs at isc.org
In-Reply-To: <rt-12674 at ISC-Bugs>
RT-Ticket: ISC-Bugs #12674
Managed-by: RT 2.0.15 (http://bestpractical.com/rt/)
RT-Originator: Mark_Andrews at isc.org
To: ted at NLnetLabs.nl
Date: Thu, 30 Sep 2004 00:48:42 +0000 (UTC)
> (Jakob Schlyter is Cc-ed because of his work on
> interoperability after the typecode rollover).
Firstly one really shouldn't attempt to use DNSSECbis
unless *all* the servers for the zone are DNSSECbis aware.
I'm tempted to leave this here just so that the zone transfer
That being said I feel the following patch is cleaner.
RCS file: /proj/cvs/prod/bind8/src/bin/named-xfer/named-xfer.c,v
retrieving revision 8.144
diff -u -r8.144 named-xfer.c
--- named-xfer.c 27 Aug 2004 00:23:16 -0000 8.144
+++ named-xfer.c 30 Sep 2004 00:40:10 -0000
@@ -3087,6 +3087,8 @@
fputs(" ( ", dbfp);
isc_puthexstring(dbfp, cp1, n,
(longname ? 28 : 40), 48,
+ (ignore == ';') ?
+ "\n;\t\t\t\t" :
fputs(" )\n", dbfp);
More information about the nsd-users