[Opendnssec-user] NSEC3PARAM records bug

GMO Internet Yuya Nagai Wed, 07 Oct 2015 23:15:41 -0700

Hi,

I found a bug which inserts two NSEC3PARAM records in a signed zone.
It happens in all OpenDNSSEC 1.4 versions.


In order to reproduce test, I set Denial->NSEC3->Resalt=PT900S in kasp.xml for 
updating it in short period.
occurrence could be confirmed by an unspecified domain name each times.

This patch prevents the issue by removing an old NSEC3PARAM records .

--- signer/src/signer/zone.c.org        2015-10-05 12:08:00.055590173 +0000
+++ signer/src/signer/zone.c    2015-10-08 02:36:13.768982694 +0000
@@ -373,6 +373,12 @@
         ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(rr, 1)), 7, 0);
         zone->signconf->nsec3params->rr = rr;
     }
+
+    rrset = zone_lookup_rrset(zone, zone->apex, LDNS_RR_TYPE_NSEC3PARAMS);
+    if (rrset) {
+        zone_del_rr(zone, LDNS_RR_TYPE_NSEC3PARAMS, 1);
+    }
+
     ods_log_assert(zone->signconf->nsec3params->rr);
     status = zone_add_rr(zone, zone->signconf->nsec3params->rr, 0);
     if (status == ODS_STATUS_UNCHANGED) {

Best regards,
--
Nagai
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

[Opendnssec-user] NSEC3PARAM records bug

Reply via email to