CNAME and other data

Mark Andrews Mark_Andrews at isc.org
Sun Jan 30 23:52:58 UTC 2005


> -----BEGIN PGP SIGNED MESSAGE-----
> 
> 
> >>>>> "Mark" == Mark Andrews <Mark_Andrews at isc.org> writes:
>     >> There are *no* duplicates that I can find.  (It would be nice if
>     >> named would log what the conflict is)
> 
>     Mark> 	You are trying to load a DNSSEC zone (with a CNAME) on a
>     Mark> DNSSECbis server.
> 
>   Yes, agreed. i said that :-)
>   I would ask that maybe 9.2.x might be more clear about the reason for
> the failure to load.

	Well the only thing missing was the name with the offending
	data which is easily found by transfering the zone and running
	named-checkzone on it.

		dig sandelman.ca @205.150.200.254 > tmp
		named-checkzone sandelman.ca tmp

	In general "CNAME and other data" error should be picked up on the
	master.  DNSSECbis is special as it relaxed the rules.

	I suppose we could explictly check for RRSIG/NSEC in 9.2 issue a
	warning.
 
>   I would also ask that perhaps 9.3.x be tolerant of NXT/SIG being
> present.  I really think this is important.

	I double checked.  It should load a DNSSEC zone.  It won't generate
	the proofs however.

>   If we want DNSSEC to be incrementally deployable, then making it hard
> for people to upgrade to 9.3 is a bad idea. Making it confusing to
> some ISP why their 9.2 fails to load a zone suddendly is also bad.

	Incremental deployment would require that proofs be generated and
	validated for both DNSSEC and DNSSECbis.  BIND 9.3 does not do this.

> - -- 
> ] Michael Richardson          Xelerance Corporation, Ottawa, ON |  firewalls 
>  [
> ] mcr @ xelerance.com           Now doing IPsec training, see   |net architec
> t[
> ] http://www.sandelman.ca/mcr/    www.xelerance.com/training/   |device drive
> r[
> ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy");
>  [
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Finger me for keys
> 
> iQCVAwUBQf1HaYqHRg3pndX9AQHnCwP/S+WfTPGxbivY6tfWN0yej6lKBEwtsh/+
> SlX9sSjRsCsir8yZQm9GY3PWWYWYO/IbZ7KBgRKmlLdcRnv2ybGDVycaSnXBMHTK
> hqz0gDk2djtELvIfIJhVCJcitXZSzptusyR/t9mlMlHQqcgDcN+uAoeXtVhC9ADY
> +cf3Yzod2sc=
> =VGPM
> -----END PGP SIGNATURE-----
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org


More information about the bind-users mailing list