mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-28 22:36:24 +01:00
6b6ac9438f
package does have BXA export approval, but the licensing strings on the dnssafe code are a bit unpleasant. The crypto is easy to restore and bind will run without it - just without full dnssec support. Obtained from: The Internet Software Consortium (www.isc.org)
40 lines
1.3 KiB
Plaintext
40 lines
1.3 KiB
Plaintext
$Id: DNSSEC,v 8.2 1999/10/12 18:23:27 ogud Exp $
|
|
|
|
DNSSEC Notes:
|
|
|
|
This file contains description of two interoperabilty problems related
|
|
to DNSSEC that only affect sites using DNSSEC.
|
|
|
|
1. All versions of bind-8 older than 8.2.2
|
|
|
|
Between versions 8.2.1 and 8.2.2 the printed format of SIG records
|
|
changed. As a result, using a signer, named and named-xfer of
|
|
differrent versions will cause parsing errors on signed zonefiles.
|
|
Included is an AWK program that converts old signed zone files to new
|
|
new format, see contrib/dns_signer/add_labels.awk
|
|
Usage: awk -f <path>/contrib/dns_signer/add_labels.awk <signed_zone >fixed_zone
|
|
|
|
2. BIND-8.1 BIND-8.1.1 BIND-8.1.2 Interoperability
|
|
|
|
If you wish to use BIND-8.1.x as a master server (either primary or
|
|
secondary) for DNSSEC signed zone you MUST apply the following patch
|
|
to the file src/bin/named/db_load.c. It fixes a bug that rejects
|
|
valid RSA signatures on load.
|
|
You can patch the file by running following command from this directory
|
|
patch -d bin/named <DNSSEC
|
|
|
|
--- db_load.c.old Mon Oct 11 15:21:24 1999
|
|
+++ db_load.c Mon Oct 11 15:21:38 1999
|
|
@@ -1123,9 +1123,6 @@
|
|
ERRTO("Signature too short");
|
|
if (siglen > (NS_MD5RSA_MAX_BITS + 7) / 8)
|
|
ERRTO("Signature too long");
|
|
- /* We rely on cp from parse */
|
|
- if (*cp == 0)
|
|
- ERRTO("Signature starts with zeroes");
|
|
break;
|
|
|
|
case NS_ALG_EXPIRE_ONLY:
|
|
|
|
|