Invalid signer in RRSIG for CNAME where CNAME target zone is on the same server #411

Closed
Habbie opened this Issue Apr 26, 2013 · 2 comments

Projects

None yet

1 participant

@Habbie
Member
Habbie commented Apr 26, 2013

Hi

RFC4035: "The RRSIG Signer's Name field is equal to the name of the zone containing the RRset".

But for CNAME, the RRSIG gets the target zone, when the target zone is on the same server.

For CNAME against external zones it works correctly.

Example:

dig +dnssec a badwww.onlinesigning.se @212.247.189.97

[snip] RRSIG CNAME 8 3 3600 20111222000000 20111208000000 32493 onlinesigning.net. [snip]

but

dig +dnssec cname badwww.onlinesigning.se @212.247.189.97

[snip] RRSIG CNAME 8 3 3600 20111222000000 20111208000000 32493 onlinesigning.se. [snip]

the target of the CNAME is net010.onlinesigning.net (which is also handled by 212.247.189.97).

This problem means that a validating bind resolves to SERVFAIL, since the signature is invalid.

A patch for the problem is attached to the ticket.

@Habbie Habbie was assigned Apr 26, 2013
@Habbie Habbie closed this Apr 26, 2013
@Habbie
Member
Habbie commented Apr 26, 2013

Attachment 'Patch fixing the problem' (pdns-trunk-r2313-fix-cname-internal-zone-rrsig-signer.1.patch) https://gist.github.com/5466723

@Habbie
Member
Habbie commented Apr 26, 2013

Author: peter
Accepted as r2314. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment