[Pkg-dns-devel] Bug#844261: Bug#844261: does not correctly transfer zone - drops at least some RRSIGs
Peter Palfrader
weasel at debian.org
Mon Nov 14 13:22:38 UTC 2016
severity 844261 minor
thanks
On Mon, 14 Nov 2016, Ondřej Surý wrote:
> while I pretty much agree that Knot DNS should not be dropping the
> RRSIGs, could you
> try resigning the zone correctly and trying again?
>
> ondrej at komorebi:/tmp/knot-failed-xfr$ ldns-verify-zone ax.txt
> Error: no signatures for sl.bilke.org. SOA
> Error: Bogus DNSSEC signature for sl.bilke.org. DNSKEY
> There were errors in the zone
>
> ondrej at komorebi:/tmp/knot-failed-xfr$ /usr/sbin/dnssec-verify -o
> sl.bilke.org ax.txt
> Loading zone 'sl.bilke.org' from file 'ax.txt'
> dnssec-verify: fatal: SOA is not signed (keys offline or inactive?)
Interesting, thanks a lot for pointing in the right direction. It turns
out, the zone was signed by the zone owner using a bind inline signing
with only partial access to the rolling key material.
I still think the diagnostics on knot's part could be improved also.
So, it shouldn't drop some of the RRSIGs, and/or maybe it should log
when it doesn't like the zone?
Cheers,
weasel
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `- https://www.debian.org/
More information about the pkg-dns-devel
mailing list