[Pdns-dev] AXFR with pre-signed zones
Christof Meerwald
cmeerw at cmeerw.org
Tue Jul 17 13:24:19 CEST 2012
On Tue, 17 Jul 2012 13:59:51 +0300, Aki Tuomi wrote:
> On Tue, Jul 17, 2012 at 12:49:35PM +0200, Christof Meerwald wrote:
>> just noticed that doing an AXFR of a pre-signed zone results in a
>> slightly corrupted zone (corrupted NSEC3PARAM record and duplicate
>> RRSIG records). Proposed fix is attached to ticket 533 -
>> http://wiki.powerdns.com/trac/ticket/533
> Does not look like a "fix", more like workaround for stripping DNSSEC
> data from the stream.
Whatever you call it - RRSIG records shouldn't be duplicated during an
AXFR. For a pre-signed zone, the RRSIG records are part of the zone
data, but the signer tries to add another set of RRSIG records - so
one set of RRSIG records need to be suppressed.
> What PowerDNS version are you running?
3.1
Christof
--
http://cmeerw.org sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org
More information about the Pdns-dev
mailing list