[Bug 1842939] Re: dnssec-signzone: error when NSEC3PARAM record exists
Re-marking as Invalid since I finally figured out today the erroneous RR was not generated by dnssec-signzone but a 3rd party tool that mistakenly writes the salt-length field too (which shouldn't be present except in the on-the-wire RDATA). ** Changed in: bind9 (Ubuntu) Status: Triaged => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1842939 Title: dnssec-signzone: error when NSEC3PARAM record exists To manage notifications about this bug go to: https://bugs.launchpad.net/bind/+bug/1842939/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1842939] Re: dnssec-signzone: error when NSEC3PARAM record exists
Thank you for taking the time to report this bug and helping to make Ubuntu better. It looks like the upstream bug has been acknowledged, so I'm marking the Ubuntu task as Triaged. However, it doesn't look like we can do anything in Ubuntu until there is a resolution upstream. As it appears this is not a regression, I'm marking it as Importance: Medium since I don't think this configuration is common enough to mark it as High. ** Changed in: bind9 (Ubuntu) Status: New => Triaged ** Changed in: bind9 (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1842939 Title: dnssec-signzone: error when NSEC3PARAM record exists To manage notifications about this bug go to: https://bugs.launchpad.net/bind/+bug/1842939/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1842939] Re: dnssec-signzone: error when NSEC3PARAM record exists
** Description changed: On 18.04 with bind9/bionic-updates,bionic-proposed,now 1:9.11.3+dfsg- 1ubuntu1.9 + + This prevents Certbot Let's Encrypt validation and therefore certificate + issuance when the zone is configured to use NSEC3. + + NSEC3 is valuable in preventing DNSSEC NSEC zone walking to discover all + RR records in the zone. Where a zone file has DNSSEC enabled and an NSEC3PARAM record is added to the already-signed zone file: example.com.IN NSEC3PARAM ( 1 0 10 16 0d95646237ae38bc ) - an attempt to re-sign the zone file fails with: - dnssec-signzone -o example.com example.com.hosts + dnssec-signzone -o example.com example.com.hosts dnssec-signzone: error: dns_rdata_fromtext: example.com.hosts:165: near '0d95646237ae38bc': extra input text dnssec-signzone: fatal: failed loading zone from 'example.com.hosts': extra input text This seems related to upstream report "Problems signing a zone that already contains an NSEC3PARAM" https://gitlab.isc.org/isc-projects/bind9/issues/953 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1842939 Title: dnssec-signzone: error when NSEC3PARAM record exists To manage notifications about this bug go to: https://bugs.launchpad.net/bind/+bug/1842939/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
