]> git.ipfire.org Git - thirdparty/bind9.git/commit
projects / thirdparty / bind9.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 724663c) | patch
Do not check SEP bit for mirror zone trust anchors
authorMichał Kępień <michal@isc.org>
Thu, 14 Feb 2019 10:03:35 +0000 (11:03 +0100)
committerMichał Kępień <michal@isc.org>
Thu, 14 Feb 2019 10:03:35 +0000 (11:03 +0100)
commit72c201733cc5a9722ec882c88e9f650197f84ed2
tree4ad6816bf039cc74fa94636222358417dd00cb55tree | snapshot
parent724663c1653cf0d59567ecfdada324382cccda1dcommit | diff
Do not check SEP bit for mirror zone trust anchors

When a mirror zone is verified, the 'ignore_kskflag' argument passed to
dns_zoneverify_dnssec() is set to false.  This means that in order for
its verification to succeed, a mirror zone needs to have at least one
key with the SEP bit set configured as a trust anchor.  This brings no
security benefit and prevents zones signed only using keys without the
SEP bit set from being mirrored, so change the value of the
'ignore_kskflag' argument passed to dns_zoneverify_dnssec() to true.
bin/tests/system/mirror/ns2/named.conf.in diff | blob | blame | history
bin/tests/system/mirror/ns2/sign.sh diff | blob | blame | history
bin/tests/system/mirror/ns3/named.conf.in diff | blob | blame | history
bin/tests/system/mirror/tests.sh diff | blob | blame | history
lib/dns/zone.c diff | blob | blame | history
Mirror of https://gitlab.isc.org/isc-projects/bind9.git