Uploaded image for project: 'OpenDNSSEC'
  1. OpenDNSSEC
  2. OPENDNSSEC-550

CLONE - Deal with errata 3441 of RFC 5155

    XMLWordPrintable

    Details

    • Type: Story
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.3.16, 1.4.3
    • Fix Version/s: 1.3.17
    • Component/s: Signer
    • Labels:
    • Sprint:
      1.3.17

      Description

      RFC 5155 has a contradiction when dealing with empty non-terminals: It always requires sending a NSEC3 when QTYPE is not DS, but in some scenarios it is not required to add a NSEC3 record when signing. One such scenario is an empty non-terminal derived from an unsigned delegation.

      Errata 3441 resolves that by fixing the name server and validator. We do not have to do anything. But since fixing interoperability between errata3441-compatible servers and errata3441-incompatible is easily achieved by adding a NSEC3 record, I argue we should always put NSEC3 records on empty non-terminals.

        Attachments

          Issue Links

          clones

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. OPENDNSSEC-549 Deal with errata 3441 of RFC 5155

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

            Activity

              People

              Assignee:
              matthijs Matthijs Mekking
              Reporter:
              matthijs Matthijs Mekking
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: