Ticket #411 (closed defect: fixed)

Opened 18 months ago

Last modified 18 months ago

Invalid signer in RRSIG for CNAME where CNAME target zone is on the same server

Reported by: anon Owned by: somebody
Priority: high Milestone:
Component: component1 Version:
Severity: normal Keywords:
Cc:

Description

Hi

RFC4035: "The RRSIG Signer's Name field is equal to the name of the zone containing the RRset".

But for CNAME, the RRSIG gets the target zone, when the target zone is on the same server.

For CNAME against external zones it works correctly.

Example: # dig +dnssec a badwww.onlinesigning.se @212.247.189.97 [snip] RRSIG CNAME 8 3 3600 20111222000000 20111208000000 32493 onlinesigning.net. [snip]

but # dig +dnssec cname badwww.onlinesigning.se @212.247.189.97 [snip] RRSIG CNAME 8 3 3600 20111222000000 20111208000000 32493 onlinesigning.se. [snip]

the target of the CNAME is net010.onlinesigning.net (which is also handled by 212.247.189.97).

This problem means that a validating bind resolves to SERVFAIL, since the signature is invalid.

A patch for the problem is attached to the ticket.

Attachments

pdns-trunk-r2313-fix-cname-internal-zone-rrsig-signer.1.patch Download (2.6 KB) - added by anon 18 months ago.
Patch fixing the problem

Change History

Changed 18 months ago by anon

Patch fixing the problem

Changed 18 months ago by peter

  • status changed from new to closed
  • resolution set to fixed

Accepted as r2314. Thanks!

Note: See TracTickets for help on using tickets.