Re-marking as Invalid since I finally figured out today the erroneous RR
was not generated by dnssec-signzone but a 3rd party tool that
mistakenly writes the salt-length field too (which shouldn't be present
except in the on-the-wire RDATA).
** Changed in: bind9 (Ubuntu)
Status: Triaged =>
Thank you for taking the time to report this bug and helping to make
Ubuntu better.
It looks like the upstream bug has been acknowledged, so I'm marking the
Ubuntu task as Triaged. However, it doesn't look like we can do anything
in Ubuntu until there is a resolution upstream.
As it appears this
** Description changed:
On 18.04 with bind9/bionic-updates,bionic-proposed,now 1:9.11.3+dfsg-
1ubuntu1.9
+
+ This prevents Certbot Let's Encrypt validation and therefore certificate
+ issuance when the zone is configured to use NSEC3.
+
+ NSEC3 is valuable in preventing DNSSEC NSEC zone walk