Hello, Running ODS 1.4.9. I know 1.4.10 is out (as well 2.x.x) but I do not see anything related to the issue mentioned in the Changelog, so I presume 1.4.10 inherits the same behavior.
Domain example.com, contains the following insecure delegation:
sub2.sub1 IN NS ns1.yahoo.com.
Policy and signconf has optout set:
<Denial>
<NSEC3>
<OptOut/>
<Resalt>P100D</Resalt>
<Hash>
<Algorithm>1</Algorithm>
<Iterations>0</Iterations>
<Salt length="0"/>
</Hash>
</NSEC3>
</Denial>
When signed with ODS, NSEC3 record is created for sub1.example.com, see
files attached.
RFC5155, Section 7.1
Each empty non-terminal MUST have a corresponding NSEC3 RR, unless
the empty non-terminal is only derived from an insecure delegation
covered by an Opt-Out NSEC3 RR.
If I understand the above correctly, NSEC3 records should not be created
for insecure delegations.
validns also recognize this as an error:
validns ../signed/example.com.zone.signed
../signed/example.com.zone.signed:22: NSEC3 without a corresponding record
(or empty non-terminal)
Any help will be highly appreciated.
Emil
p.s I'll try 1.4.10 anyway and will update if it makes any difference
example.com.zone.signed
Description: Binary data
example.com.zone
Description: Binary data
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
