On Thu, Nov 06, 2025 at 09:43:19AM +0000, Stephane Bortzmeyer via Opendnssec-user <[email protected]> wrote a message of 102 lines which said:
> Here is the issue, which I believe very serious: > > When I use the syntax for unknown types (RFC 3597) (here, > /var/lib/opendnssec/unsigned/bortzmeyer.fr): > > @ IN TYPE262 \# 39 03425443 > 223148744E4A365A465563397975397532714177423474476447775051617351476178 > The bug seems to be in the signing software, ldns, I believe. Anyway, ldns clearly has the bug: 1) ldns-keygen -a ED25519 example.org 2) Create a zone file with the above key and the line @ IN TYPE262 \# 39 03425443 223148744E4A365A465563397975397532714177423474476447775051617351476178 3) ldns-signzone -o example.org example.org.zone Kexample.org.+015+$KEYID You will observe in example.org.zone.signed that the WALLET RR was translated to TXT (!!!) and the signatures are broken: % dnssec-verify -o example.org -z example.org.zone.signed Loading zone 'example.org' from file 'example.org.zone.signed' Verifying the zone using the following algorithms: - ED25519 No correct ED25519 signature for example.org TXT No correct ED25519 signature for example.org NSEC The zone is not fully signed for the following algorithms: ED25519 _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
