[Pkg-dns-devel] Bug#844261: Bug#844261: does not correctly transfer zone - drops at least some RRSIGs
Ondřej Surý
ondrej at sury.org
Thu Nov 17 01:37:26 UTC 2016
This has now been fixed in git master and it will be part of any future
release.
Also please note that we found that knot dns has transfered all records
successfully, it just
didn't dump all of them to the zonefile.
Cheers,
--
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu
On Mon, Nov 14, 2016, at 14:22, Peter Palfrader wrote:
> severity 844261 minor
> thanks
>
> On Mon, 14 Nov 2016, Ondřej Surý wrote:
>
> > while I pretty much agree that Knot DNS should not be dropping the
> > RRSIGs, could you
> > try resigning the zone correctly and trying again?
> >
> > ondrej at komorebi:/tmp/knot-failed-xfr$ ldns-verify-zone ax.txt
> > Error: no signatures for sl.bilke.org. SOA
> > Error: Bogus DNSSEC signature for sl.bilke.org. DNSKEY
> > There were errors in the zone
> >
> > ondrej at komorebi:/tmp/knot-failed-xfr$ /usr/sbin/dnssec-verify -o
> > sl.bilke.org ax.txt
> > Loading zone 'sl.bilke.org' from file 'ax.txt'
> > dnssec-verify: fatal: SOA is not signed (keys offline or inactive?)
>
> Interesting, thanks a lot for pointing in the right direction. It turns
> out, the zone was signed by the zone owner using a bind inline signing
> with only partial access to the rolling key material.
>
> I still think the diagnostics on knot's part could be improved also.
> So, it shouldn't drop some of the RRSIGs, and/or maybe it should log
> when it doesn't like the zone?
>
> Cheers,
> weasel
> --
> | .''`. ** Debian **
> Peter Palfrader | : :' : The universal
> https://www.palfrader.org/ | `. `' Operating System
> | `- https://www.debian.org/
More information about the pkg-dns-devel
mailing list