-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Paul,
I just tried it with my own zone, but the signer does not include the SSHFP RRtype in the NSEC and so the auditor has nothing to complain about. Which version are you using? Best regards, Matthijs On 02/08/2012 12:03 AM, Paul Wouters wrote: > > > I found the following bug: > > git.foo.com. IN A 1.2.3.4 > git.foo.com. IN SSHFP 1 1 AAACC04AA31DF4A04C11254FB6939A15C3A11B87 > > Sign the zone > > edit the zone and replace the two above records with: > > git.foo.com. IN CNAME www > > sign the zone. ods-signer refuses because the auditor finds: > > Feb 6 15:50:20 nohats ods-auditor[14700]: NSEC includes SSHFP which is > not in rrsets for git.foo.com. > > It should just fix the NSEC chain. Did the CNAME confuse it? > > Paul > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPMiaxAAoJEA8yVCPsQCW594kIAI2/ors9Wvh93PzxXGRCiNkD r4x7Q4mlRtlYR3RMQCe6e4zktSpUTgfloXUplb71d2jhhjRO5JE4DT9TghUbGTxF 4RqV86pOy1Svpggf5yoF+semAQbc5EdkHOdUtU6hBAQKg4gYGSnocyDn+xMdehh1 tCgGVjT5HyxCaxLtVp6a5WBb4PhpZ8r1zeJO9EV12uRrolXG1ugaJ40l6pKjEJlC Vm4ZT7ePqjpYhgyQW6m1Sb6ryTGNgd2YtqqChF0fue+VQiRKxuYK5p1ititM7HpM DWkHdLgITlb933jkpOeZk9KNIa/3ONh45iAbVLN+b3Dq8R7EvhN06G82h07YdFk= =Q5J2 -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
