Opened 7 years ago

Closed 5 years ago

#2295 closed defect (wontfix)

clarify the semantics of datasrc/memory/ZoneData::isSigned()

Reported by: jinmei Owned by:
Priority: medium Milestone: Remaining BIND10 tickets
Component: data source Version: bind10-old
Keywords: Cc:
CVSS Scoring: Parent Tickets:
Sensitive: no Defect Severity: N/A
Sub-Project: DNS Feature Depending on Ticket:
Estimated Difficulty: 4 Add Hours to Ticket: 0
Total Hours: 0 Internal?: no

Description

Currently, different parts of the in-memory data source related
classes use different semantics:

  • the zone loader (memory_client.cc) set it to true when it adds NSEC/NSEC3 or NSEC3PARAM RRs to the zone
  • the zone finder implementation considers the zone is "NSEC3 signed" regardless of the value of "is signed" flag (so the zone loader behavior for NSEC3/NSECPARAM is meaningless)
  • in the zone data documentation, it's (intentionally) left open, but hinted as if it means the zone has a DNSKEY RR (at the origin).

The difference is not an immediate issue, but when we support
incremental zone signing or migration between NSEC and NSEC3, there
can be an intermediate state where the zone should rather be
considered "unsigned" even if it contains some NSEC or NSEC3 RRs.
And then the difference and the current assumption may cause real
troubles.

So my suggestion is to adopt the hint policy in the zone data
documentation: set the "signed" flag of zone to true iff the has a
DNSKEY RR at the origin (and make sure this condition is preserved
when we add incremental zone updates). The zone finder implementation
should check both "signed" and isNSEC3Signed() conditions to set the
"NSEC3 signed" flag.

Subtickets

Change History (3)

comment:1 Changed 7 years ago by shane

  • Milestone New Tasks deleted

comment:2 Changed 6 years ago by tomek

  • Milestone set to Remaining BIND10 tickets

comment:3 Changed 5 years ago by tomek

  • Resolution set to wontfix
  • Status changed from new to closed
  • Version set to old-bind10

This issue is related to bind10 code that is no longer part of Kea.

If you are interested in BIND10/Bundy framework or its DNS components,
please check http://bundy-dns.de.

Closing ticket.

Note: See TracTickets for help on using tickets.