Date: Fri, 24 Jul 2020 17:43:23 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 248239] local_unbound: Fails to resolve europris.no fail after 11.3->11.4 upgrade Message-ID: <bug-248239-7501-jbK19AayhK@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-248239-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-248239-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D248239 Viktor Dukhovni <ietf-dane@dukhovni.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ietf-dane@dukhovni.org --- Comment #7 from Viktor Dukhovni <ietf-dane@dukhovni.org> --- If ed25519 is not supported in a resolver, it should treat zones that are signed only with ed25519 as "unsigned". If it instead ServFails, then that= 's a bug. What exactly happens with lookup for the reported zone? It's DS RRs list only ed25519: europris.no. IN DS 25323 15 2 ... europris.no. IN DS 25323 15 4 ... But its DNSKEY RRset has both P256 and ED25519 keys and is signed by all: europris.no. IN DNSKEY 257 3 15 ... europris.no. IN DNSKEY 256 3 15 ... europris.no. IN DNSKEY 257 3 13 ... europris.no. IN DNSKEY 256 3 13 ... europris.no. IN RRSIG DNSKEY 13 2 3600 <validity> 14997 ... europris.no. IN RRSIG DNSKEY 13 2 3600 <validity> 46820 ... europris.no. IN RRSIG DNSKEY 15 2 3600 <validity> 25323 ... europris.no. IN RRSIG DNSKEY 15 2 3600 <validity> 39946 ... The SOA is signed with both ZSKs: europris.no. IN SOA ns1.hyp.net. hostmaster@domeneshop.no. ... europris.no. IN RRSIG SOA 13 2 3600 <validity> 14997 ... europris.no. IN RRSIG SOA 15 2 3600 <validity> 39946 A resolver that does not support ed25519 should treat this zone as unsigned, since the DS RRs don't include any other algorithm. Perhaps with P256 in t= he DNSKEY RRset, the resolver failed to reach that conclusion? That would be a bug. Or does the resolver "think" it has ed25519 support, expecting it to work, = and then reports errors when loading ed25519 keys fails? While not having ed25519 is not a bug, failing to resolve DNSSEC domains th= at require ed25519 is a bug. So this looks prematurely closed. --=20 You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-248239-7501-jbK19AayhK>