[BUG] dnssec-signzone silently drops DS records when '-g' is used
Ondřej Surý
ondrej.sury at nic.cz
Mon Sep 15 18:21:16 UTC 2008
Hi,
I just found quite serious bug in dnssec-signzone :-(.
dnssec-signzone quietly drops DS records when -g switch is used
(generate DS records).
Commands used:
Without -g:
# dnssec-signzone -v 255 -s 20080901000000 -e 20080930235900 -k
Kcz.+005+36397.key -o cz -f cz.signed.plain cz.example
Kcz.+005+16902.key 2>dnssec-signzone.log.plain
With -g:
dnssec-signzone -g -v 255 -s 20080901000000 -e 20080930235900 -k
Kcz.+005+36397.key -o cz -f cz.signed.gends cz.example
Kcz.+005+16902.key 2>dnssec-signzone.log.gends
Attached files:
- cz.example (stripped down .cz zone)
- cz.signed.*
- dnssec-signzone.log.*
- cz.signed.diff (diff of cz.signed.plain and cz.signed.gends)
- dnssec-signzone.log.diff (diff of dnssec-signzone.log.plain and
dnssec-signzone.log.gends)
Notice that dnssec-signzone.log.gends doesn't even mention DS record
of dnssec.cz,
looks like there is some IF DS THEN SKIP code when -g is used.
Regards,
Ondrej.
--
Ondřej Surý
technický ředitel/Chief Technical Officer
-----------------------------------------
CZ.NIC, z.s.p.o. -- .cz domain registry
Americká 23,120 00 Praha 2,Czech Republic
mailto:ondrej.sury at nic.cz http://nic.cz/
sip:ondrej.sury at nic.cz tel:+420.222745110
mob:+420.739013699 fax:+420.222745112
-----------------------------------------
More information about the bind-users
mailing list