[nsd-users] zones with a DS record without corresponding NS records
Matthijs Mekking
matthijs at NLnetLabs.nl
Mon Jul 6 09:37:52 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Paul Wouters wrote:
>
> Hi,
>
> I just ran into a little bug where I had a zone that contained a DS
> record for a delegation, but mistakenly did not include any NS records
> for that delegation.
>
> ldns-read-zone sees no problem with this zone and nsd zonec compiler
> compiled this zone without an error. I guess zonec does not perform any
> checks, but ldns-readzone should probably through an error.
zonec is indeed not smart enough to detect this mismatch. It works on a
garbage in, garbage out basis. I think ldns-verify-zone should cover
this, not ldns-read-zone.
>
> Bind's named-checkzone passed the zone as valid, however bind's
> dnssec-signzone refused to sign this zone.
>
> I'm not sure what the proper behaviour should be in this case. Though
> I would prefer that named-checkzone would not OK anything that
> dnssec-signzone refuses to sign.
+1
>
> Paul
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBAgAGBQJKUcXtAAoJEA8yVCPsQCW5C3AH/3TR7AdHNN+gS6PI0ZwNSPBV
T7CnanYQd4ES9t1KRJUIyg1Mxplj1Swr/qiwzIUsGcdoI6jBiBxfsOtuN6LRxAJV
6MQWab+vZqVMRVXduZKZifvCqimxd9fr2zb0hB/yDIppR4mYA3IssFGNyUhDu24n
XB3L7Z28fNtNDoe2hhULDC6sPXUjPQVrYNgdhQyVXPLNkz/gn2f/vVtz3Q5YZI5g
eE3DzINwuNuv2Qf5zx0T0Sx2aCzjscoZq2rrDUBrn8mhHfCPKxfvOQpu5CQw/+kH
LVOOHA0PD2u6E6ylumYjjiLSoMWRMBHbCBmxM88AklK3Wcty9C91qEVq2hP5EVM=
=Qhf4
-----END PGP SIGNATURE-----
More information about the nsd-users
mailing list