Public bug reported:
It seems zonesigner (through dnssec-signzone?) decides to include in the
zone being signed, DS-records for subzones/childzones that have key
material on disk even though there are NO DS RECORDS in the zone being
signed at that time.
This just bit me up the a**e.
DNSSEC tools should NOT mess with my zone data other than adding RRSIGs/DNSKEYs.
Also, this behaviour breaks DNSSEC as prepublishing of DNSKEY material
is somewhat impossible this way.
Steps to reproduce:
- Sign example.tld
- Sign sub.example.tld
- Add 'sub IN NS ..' records to example.tld pointing to the same NS-set as
example.tld
- Resign example.tld
The DS for sub.example.tld is automatically included.
(Keymaterial for all zones has to be in the same directory, i think this is
caused by use of the -S option to dnssec-signzone).
** Affects: dnssec-tools (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1075156
Title:
Zonesigner decides on its own to include DS for signed childzone.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dnssec-tools/+bug/1075156/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
