2019-09-05 20:07:36 |
TJ |
description |
On 18.04 with bind9/bionic-updates,bionic-proposed,now 1:9.11.3+dfsg-1ubuntu1.9
Where a zone file has DNSSEC enabled and an NSEC3PARAM record is added to the already-signed zone file:
example.com. IN NSEC3PARAM ( 1 0 10 16 0d95646237ae38bc )
an attempt to re-sign the zone file fails with:
dnssec-signzone -o example.com example.com.hosts
dnssec-signzone: error: dns_rdata_fromtext: example.com.hosts:165: near '0d95646237ae38bc': extra input text
dnssec-signzone: fatal: failed loading zone from 'example.com.hosts': extra input text
This seems related to upstream report "Problems signing a zone that already contains an NSEC3PARAM"
https://gitlab.isc.org/isc-projects/bind9/issues/953 |
On 18.04 with bind9/bionic-updates,bionic-proposed,now 1:9.11.3+dfsg-1ubuntu1.9
This prevents Certbot Let's Encrypt validation and therefore certificate issuance when the zone is configured to use NSEC3.
NSEC3 is valuable in preventing DNSSEC NSEC zone walking to discover all RR records in the zone.
Where a zone file has DNSSEC enabled and an NSEC3PARAM record is added to the already-signed zone file:
example.com. IN NSEC3PARAM ( 1 0 10 16 0d95646237ae38bc )
an attempt to re-sign the zone file fails with:
dnssec-signzone -o example.com example.com.hosts
dnssec-signzone: error: dns_rdata_fromtext: example.com.hosts:165: near '0d95646237ae38bc': extra input text
dnssec-signzone: fatal: failed loading zone from 'example.com.hosts': extra input text
This seems related to upstream report "Problems signing a zone that already contains an NSEC3PARAM"
https://gitlab.isc.org/isc-projects/bind9/issues/953 |
|