[Pdns-dev] AXFR with pre-signed zones
Aki Tuomi
cmouse at youzen.ext.b2.fi
Tue Jul 17 13:42:09 CEST 2012
On Tue, Jul 17, 2012 at 01:24:19PM +0200, Christof Meerwald wrote:
> On Tue, 17 Jul 2012 13:59:51 +0300, Aki Tuomi wrote:
> > On Tue, Jul 17, 2012 at 12:49:35PM +0200, Christof Meerwald wrote:
> >> just noticed that doing an AXFR of a pre-signed zone results in a
> >> slightly corrupted zone (corrupted NSEC3PARAM record and duplicate
> >> RRSIG records). Proposed fix is attached to ticket 533 -
> >> http://wiki.powerdns.com/trac/ticket/533
> > Does not look like a "fix", more like workaround for stripping DNSSEC
> > data from the stream.
>
> Whatever you call it - RRSIG records shouldn't be duplicated during an
> AXFR. For a pre-signed zone, the RRSIG records are part of the zone
> data, but the signer tries to add another set of RRSIG records - so
> one set of RRSIG records need to be suppressed.
>
>
> > What PowerDNS version are you running?
>
> 3.1
>
>
> Christof
>
So... Correct me if I am wrong but you are transferring a pre-signed zone
with AXFR from master, and master tries to sign it again? Or did I understood
you completely wrong? Can you give more details on the problem you are
experiencing? Btw, it cannot sign your records without signing key.
Aki
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-dev/attachments/20120717/377ad388/attachment.pgp>
More information about the Pdns-dev
mailing list