[Pkg-dns-devel] Bug#844261: Bug#844261: does not correctly transfer zone - drops at least some RRSIGs
Ondřej Surý
ondrej at sury.org
Mon Nov 14 01:35:12 UTC 2016
Peter,
while I pretty much agree that Knot DNS should not be dropping the
RRSIGs, could you
try resigning the zone correctly and trying again?
ondrej at komorebi:/tmp/knot-failed-xfr$ ldns-verify-zone ax.txt
Error: no signatures for sl.bilke.org. SOA
Error: Bogus DNSSEC signature for sl.bilke.org. DNSKEY
There were errors in the zone
ondrej at komorebi:/tmp/knot-failed-xfr$ /usr/sbin/dnssec-verify -o
sl.bilke.org ax.txt
Loading zone 'sl.bilke.org' from file 'ax.txt'
dnssec-verify: fatal: SOA is not signed (keys offline or inactive?)
Cheers,
--
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu
On Sun, Nov 13, 2016, at 22:04, Peter Palfrader wrote:
> Package: knot
> Version: 2.3.1-1~bpo8+1
> Severity: important
>
> Hi,
>
> I am secondary for a zone, sl.bilke.org, that is transferred via tsig
> protected zone transfer.
>
> Now it stopped returning RRSIG, and it turns out, it doesn't even store
> them in its copy of the zone file. For resting purposes I have removed
> the .zone and .db and issued a re-transfer.
>
> I have attached the .zone file knot wrote and a dig axfr output. You
> can see they differ.
>
> It would be good if knot would keep those RRSIGs around and serve them
> on request.
> --
> | .''`. ** Debian **
> Peter Palfrader | : :' : The universal
> https://www.palfrader.org/ | `. `' Operating System
> | `- https://www.debian.org/
> _______________________________________________
> pkg-dns-devel mailing list
> pkg-dns-devel at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/pkg-dns-devel
> Email had 2 attachments:
> + sl.bilke.org.zone
> 20k (application/octet-stream)
> + ax
> 39k (text/plain)
More information about the pkg-dns-devel
mailing list