dnssec-signzone: error when CAA record exists
Bug #1843551 reported by
TJ
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| bind9 (Ubuntu) |
Expired
|
Undecided
|
Unassigned | ||
Bug Description
On 18.04 with bind9/bionic-
When the zone file includes:
@ IN CAA "letsencrypt.org"
An error occurs when trying to sign the zone:
$ sudo dnssec-signzone -v 255 -o example.com example.com.hosts
dnssec-signzone: using 4 cpus
dnssec-signzone: error: dns_rdata_fromtext: example.
dnssec-signzone: fatal: failed loading zone from 'example.
This is unfortunate as it prevents achieving an optimum configuration including an advisory note from SSLLabs tests.
Revision history for this message
| Andreas Hasenack (ahasenack) wrote | #1 |
| Changed in bind9 (Ubuntu): | |
| status: | New → Incomplete |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in bind9 (Ubuntu): | |
| status: | Incomplete → Expired |
To post a comment you must log in.
Hello,
I believe your record has an incorrect syntax. It should be:
@ IN CAA <flag> issue <domain>
where <flag> is a number. Hence the complain from the tool that character position 14 is not a valid number.
The line you used gives an error already when reloading the zone, with the same message.
Can you please try the following:
@ IN CAA 0 issue "letsencrypt.org"