Hi, On 10/26/2012 05:01 PM, elsif wrote: > Unsigned zone: > lac-megantic.qc.ca. IN NS ns1.com2media.ca. > IN NS ns2.com2media.ca. > ville.lac-megantic.qc.ca. IN NS ns1.com2media.ca. > IN NS ns2.com2media.ca. > > Signed zone (ODS): > lac-megantic.qc.ca. 86400 IN NS ns1.com2media.ca. > lac-megantic.qc.ca. 86400 IN NS ns2.com2media.ca. > > > Signed zone (BIND): > lac-megantic.qc.ca. 86400 IN NS ns1.com2media.ca. > 86400 IN NS ns2.com2media.ca. > ville.lac-megantic.qc.ca. 86400 IN NS ns1.com2media.ca. > 86400 IN NS ns2.com2media.ca. > > It appears ODS is ignoring the 4th level when the 3rd level exists > (presumably this behaviour would be different if the NS RRset differs, > but I've yet to confirm that). > > I didn't expect zones to disappear from the signed zone, in any case, > and makes our post-signing validation checks fail. > > Can this be considered a bug?
Well, it was done on purpose, as this is data you are not authoritative for. I'm not sure which text in which RFC convinced me to do so, but if you operate on files this shouldn't matter much: The data may not be served anyway. I believe it doesn't do harm, so we can remove the check so that all occluded data (not only glue) remain in the signed zone file. RFC 5936 though says that for zone transfers, the occluded names should be present. So I think this needs to be fixed for the DNS adapters. Best regards, Matthijs > > Thanks, > > -Jake > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
