[nsd-users] zones with a DS record without corresponding NS records

Matthijs Mekking matthijs at NLnetLabs.nl
Mon Jul 6 09:37:52 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Wouters wrote:
> 
> Hi,
> 
> I just ran into a little bug where I had a zone that contained a DS
> record for a delegation, but mistakenly did not include any NS records
> for that delegation.
> 
> ldns-read-zone sees no problem with this zone and nsd zonec compiler
> compiled this zone without an error. I guess zonec does not perform any
> checks, but ldns-readzone should probably through an error.

zonec is indeed not smart enough to detect this mismatch. It works on a
garbage in, garbage out basis. I think ldns-verify-zone should cover
this, not ldns-read-zone.

> 
> Bind's named-checkzone passed the zone as valid, however bind's
> dnssec-signzone refused to sign this zone.
> 
> I'm not sure what the proper behaviour should be in this case. Though
> I would prefer that named-checkzone would not OK anything that
> dnssec-signzone refuses to sign.

+1

> 
> Paul
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJKUcXtAAoJEA8yVCPsQCW5C3AH/3TR7AdHNN+gS6PI0ZwNSPBV
T7CnanYQd4ES9t1KRJUIyg1Mxplj1Swr/qiwzIUsGcdoI6jBiBxfsOtuN6LRxAJV
6MQWab+vZqVMRVXduZKZifvCqimxd9fr2zb0hB/yDIppR4mYA3IssFGNyUhDu24n
XB3L7Z28fNtNDoe2hhULDC6sPXUjPQVrYNgdhQyVXPLNkz/gn2f/vVtz3Q5YZI5g
eE3DzINwuNuv2Qf5zx0T0Sx2aCzjscoZq2rrDUBrn8mhHfCPKxfvOQpu5CQw/+kH
LVOOHA0PD2u6E6ylumYjjiLSoMWRMBHbCBmxM88AklK3Wcty9C91qEVq2hP5EVM=
=Qhf4
-----END PGP SIGNATURE-----



More information about the nsd-users mailing list