libdnssec: ignore reserved bits in DNSKEY flags (!1751) · Merge requests · Knot projects / Knot DNS · GitLab

Snippets Groups Projects

Self sign-up has been disabled due to increased spam activity. If you want to get access, please send an email to a project owner (preferred) or at gitlab(at)nic(dot)cz. We apologize for the inconvenience.

Merged Vladimír Čunát requested to merge dnskey-flags into master 3 weeks ago

Otherwise Knot Resolver would be breaking a MUST at the very end of https://datatracker.ietf.org/doc/html/rfc4034#section-2.1.1

Real-life example: https://mailarchive.ietf.org/arch/msg/dd/W4lOTgd8-3NF0pbjtqP7YUz6Puk/

Approval is optional

Activity

Vladimír Čunát added bug libraries labels 3 weeks ago

added bug libraries labels
Vladimír Čunát @vcunat · 3 weeks ago

Author Owner

On a signer this check would be suitable, I believe, as that RFC paragraph says

these bits MUST have value 0 upon creation of the DNSKEY RR

but this part of code is shared with Knot Resolver's validator, too. (and I'm not sure about other cases like secondaries)

So a check for this might be added on a different place that is signer-specific.
Daniel Salzman merged 3 weeks ago

merged
Daniel Salzman mentioned in commit 23c4cc8f 3 weeks ago

mentioned in commit 23c4cc8f

Please register or sign in to reply