[Bug 248239] local_unbound: Fails to resolve europris.no fail after 11.3->11.4 upgrade

Fri, 24 Jul 2020 10:44:21 -0700 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248239

Viktor Dukhovni <ietf-d...@dukhovni.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ietf-d...@dukhovni.org

--- Comment #7 from Viktor Dukhovni <ietf-d...@dukhovni.org> ---
If ed25519 is not supported in a resolver, it should treat zones that are
signed only with ed25519 as "unsigned".  If it instead ServFails, then that's a
bug.  What exactly happens with lookup for the reported zone?

It's DS RRs list only ed25519:

  europris.no. IN DS 25323 15 2 ...
  europris.no. IN DS 25323 15 4 ...

But its DNSKEY RRset has both P256 and ED25519 keys and is signed by all:

  europris.no. IN DNSKEY 257 3 15 ...
  europris.no. IN DNSKEY 256 3 15 ...
  europris.no. IN DNSKEY 257 3 13 ...
  europris.no. IN DNSKEY 256 3 13 ...
  europris.no. IN RRSIG DNSKEY 13 2 3600 <validity> 14997 ...
  europris.no. IN RRSIG DNSKEY 13 2 3600 <validity> 46820 ...
  europris.no. IN RRSIG DNSKEY 15 2 3600 <validity> 25323 ...
  europris.no. IN RRSIG DNSKEY 15 2 3600 <validity> 39946 ...

The SOA is signed with both ZSKs:

  europris.no. IN SOA ns1.hyp.net. hostmas...@domeneshop.no. ...
  europris.no. IN RRSIG SOA 13 2 3600 <validity> 14997 ...
  europris.no. IN RRSIG SOA 15 2 3600 <validity> 39946

A resolver that does not support ed25519 should treat this zone as unsigned,
since the DS RRs don't include any other algorithm.  Perhaps with P256 in the
DNSKEY RRset, the resolver failed to reach that conclusion?  That would be a
bug.
Or does the resolver "think" it has ed25519 support, expecting it to work, and
then reports errors when loading ed25519 keys fails?

While not having ed25519 is not a bug, failing to resolve DNSSEC domains that
require ed25519 is a bug.  So this looks prematurely closed.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to