dnssec-signzone: error when CAA record exists
Bug #1843551 reported by
TJ
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
bind9 (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
On 18.04 with bind9/bionic-
When the zone file includes:
@ IN CAA "letsencrypt.org"
An error occurs when trying to sign the zone:
$ sudo dnssec-signzone -v 255 -o example.com example.com.hosts
dnssec-signzone: using 4 cpus
dnssec-signzone: error: dns_rdata_fromtext: example.
dnssec-signzone: fatal: failed loading zone from 'example.
This is unfortunate as it prevents achieving an optimum configuration including an advisory note from SSLLabs tests.
To post a comment you must log in.
Hello,
I believe your record has an incorrect syntax. It should be:
@ IN CAA <flag> issue <domain>
where <flag> is a number. Hence the complain from the tool that character position 14 is not a valid number.
The line you used gives an error already when reloading the zone, with the same message.
Can you please try the following:
@ IN CAA 0 issue "letsencrypt.org"