Ticket #411 (closed defect: fixed)
Invalid signer in RRSIG for CNAME where CNAME target zone is on the same server
|Reported by:||anon||Owned by:||somebody|
RFC4035: "The RRSIG Signer's Name field is equal to the name of the zone containing the RRset".
But for CNAME, the RRSIG gets the target zone, when the target zone is on the same server.
For CNAME against external zones it works correctly.
Example: # dig +dnssec a badwww.onlinesigning.se @220.127.116.11 [snip] RRSIG CNAME 8 3 3600 20111222000000 20111208000000 32493 onlinesigning.net. [snip]
but # dig +dnssec cname badwww.onlinesigning.se @18.104.22.168 [snip] RRSIG CNAME 8 3 3600 20111222000000 20111208000000 32493 onlinesigning.se. [snip]
the target of the CNAME is net010.onlinesigning.net (which is also handled by 22.214.171.124).
This problem means that a validating bind resolves to SERVFAIL, since the signature is invalid.
A patch for the problem is attached to the ticket.