Skip to content
Snippets Groups Projects

DNSSEC fixes

Merged DNSSEC fixes
dnssec-fixes into master
Merged Ghost User requested to merge dnssec-fixes into master

Two fixes in this MR:

  1. Continuation of fix merged in !176 (merged). Knot was still generating RRSIGs for the old (wrong) NSEC3s, as it did not know that they would be removed. Fixed by marking nodes from which NSEC3s are to be removed, so that these are not signed in the next step. (Commit 38aeecc3)
  2. Function for saving removed NSEC/NSEC3 records into changeset (knot_nsec_changeset_remove()) was ignoring NSEC3 RRSIGs. (Commit 8b5f08ac). This probably manifested after UPDATE - a test should be added for this case.

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Jan Včelák
    Jan Včelák @jvcelak started a thread on the diff
    • src/knot/dnssec/zone-nsec.c
    109 109 return true;
    110 110 }
    111 111
    112 static int mark_nsec3(knot_rrset_t *rrset, void *data)
  • Ghost User
    Ghost User @ghost started a thread on the diff
    • src/knot/dnssec/zone-nsec.c
    131 knot_node_set_removed_nsec(node);
    132 }
    133 }
    134
    135 return KNOT_EOK;
    136 }
    137
    138 static int mark_removed_nsec3(knot_changeset_t *out_ch,
    139 const knot_zone_contents_t *zone)
    140 {
    141 if (zone->nsec3_nodes == NULL) {
    142 return KNOT_EOK;
    143 }
    144
    145 int ret = knot_changeset_apply(out_ch, KNOT_CHANGESET_REMOVE,
    146 mark_nsec3, (void *)zone->nsec3_nodes);
  • Ghost User
    Ghost User @ghost ·
    Author Contributor

    OK, everything should be fixed. Also merged current master into the branch. Probably can be merged.

    • Please register or sign in to reply