[Bug 248239] local_unbound: Fails to resolve europris.no fail after 11.3->11.4 upgrade
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Fri Jul 24 17:43:24 UTC 2020
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248239
Viktor Dukhovni <ietf-dane at dukhovni.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ietf-dane at dukhovni.org
--- Comment #7 from Viktor Dukhovni <ietf-dane at dukhovni.org> ---
If ed25519 is not supported in a resolver, it should treat zones that are
signed only with ed25519 as "unsigned". If it instead ServFails, then that's a
bug. What exactly happens with lookup for the reported zone?
It's DS RRs list only ed25519:
europris.no. IN DS 25323 15 2 ...
europris.no. IN DS 25323 15 4 ...
But its DNSKEY RRset has both P256 and ED25519 keys and is signed by all:
europris.no. IN DNSKEY 257 3 15 ...
europris.no. IN DNSKEY 256 3 15 ...
europris.no. IN DNSKEY 257 3 13 ...
europris.no. IN DNSKEY 256 3 13 ...
europris.no. IN RRSIG DNSKEY 13 2 3600 <validity> 14997 ...
europris.no. IN RRSIG DNSKEY 13 2 3600 <validity> 46820 ...
europris.no. IN RRSIG DNSKEY 15 2 3600 <validity> 25323 ...
europris.no. IN RRSIG DNSKEY 15 2 3600 <validity> 39946 ...
The SOA is signed with both ZSKs:
europris.no. IN SOA ns1.hyp.net. hostmaster at domeneshop.no. ...
europris.no. IN RRSIG SOA 13 2 3600 <validity> 14997 ...
europris.no. IN RRSIG SOA 15 2 3600 <validity> 39946
A resolver that does not support ed25519 should treat this zone as unsigned,
since the DS RRs don't include any other algorithm. Perhaps with P256 in the
DNSKEY RRset, the resolver failed to reach that conclusion? That would be a
bug.
Or does the resolver "think" it has ed25519 support, expecting it to work, and
then reports errors when loading ed25519 keys fails?
While not having ed25519 is not a bug, failing to resolve DNSSEC domains that
require ed25519 is a bug. So this looks prematurely closed.
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
More information about the freebsd-net
mailing list