HardenedBSD/contrib/bind/DNSSEC
Peter Wemm 6b6ac9438f Import bind v8.2.2.p5, minus the crypto for the time being. The bind
package does have BXA export approval, but the licensing strings on the
dnssafe code are a bit unpleasant.  The crypto is easy to restore and bind
will run without it - just without full dnssec support.

Obtained from:	The Internet Software Consortium (www.isc.org)
1999-11-30 02:43:11 +00:00

40 lines
1.3 KiB
Plaintext

$Id: DNSSEC,v 8.2 1999/10/12 18:23:27 ogud Exp $
DNSSEC Notes:
This file contains description of two interoperabilty problems related
to DNSSEC that only affect sites using DNSSEC.
1. All versions of bind-8 older than 8.2.2
Between versions 8.2.1 and 8.2.2 the printed format of SIG records
changed. As a result, using a signer, named and named-xfer of
differrent versions will cause parsing errors on signed zonefiles.
Included is an AWK program that converts old signed zone files to new
new format, see contrib/dns_signer/add_labels.awk
Usage: awk -f <path>/contrib/dns_signer/add_labels.awk <signed_zone >fixed_zone
2. BIND-8.1 BIND-8.1.1 BIND-8.1.2 Interoperability
If you wish to use BIND-8.1.x as a master server (either primary or
secondary) for DNSSEC signed zone you MUST apply the following patch
to the file src/bin/named/db_load.c. It fixes a bug that rejects
valid RSA signatures on load.
You can patch the file by running following command from this directory
patch -d bin/named <DNSSEC
--- db_load.c.old Mon Oct 11 15:21:24 1999
+++ db_load.c Mon Oct 11 15:21:38 1999
@@ -1123,9 +1123,6 @@
ERRTO("Signature too short");
if (siglen > (NS_MD5RSA_MAX_BITS + 7) / 8)
ERRTO("Signature too long");
- /* We rely on cp from parse */
- if (*cp == 0)
- ERRTO("Signature starts with zeroes");
break;
case NS_ALG_EXPIRE_ONLY: