Re: CNAME and other data
> -----BEGIN PGP SIGNED MESSAGE-----
> >>>>> "Mark" == Mark Andrews <Mark_Andrews@isc.org> writes:
> >> There are *no* duplicates that I can find. (It would be nice if
> >> named would log what the conflict is)[/color][/color]
> Mark> You are trying to load a DNSSEC zone (with a CNAME) on a
> Mark> DNSSECbis server.
> Yes, agreed. i said that :-)
> I would ask that maybe 9.2.x might be more clear about the reason for
> the failure to load.[/color]
Well the only thing missing was the name with the offending
data which is easily found by transfering the zone and running
named-checkzone on it.
dig sandelman.ca @220.127.116.11 > tmp
named-checkzone sandelman.ca tmp
In general "CNAME and other data" error should be picked up on the
master. DNSSECbis is special as it relaxed the rules.
I suppose we could explictly check for RRSIG/NSEC in 9.2 issue a
> I would also ask that perhaps 9.3.x be tolerant of NXT/SIG being
> present. I really think this is important.[/color]
I double checked. It should load a DNSSEC zone. It won't generate
the proofs however.
> If we want DNSSEC to be incrementally deployable, then making it hard
> for people to upgrade to 9.3 is a bad idea. Making it confusing to
> some ISP why their 9.2 fails to load a zone suddendly is also bad.[/color]
Incremental deployment would require that proofs be generated and
validated for both DNSSEC and DNSSECbis. BIND 9.3 does not do this.
> - --
> ] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls
> ] mcr @ xelerance.com Now doing IPsec training, see |net architec
> ] [url]http://www.sandelman.ca/mcr/[/url] [url]www.xelerance.com/training/[/url] |device drive
> ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy");
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Finger me for keys
> -----END PGP SIGNATURE-----[/color]
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [email]Mark_Andrews@isc.org[/email]