pdns
pdns copied to clipboard
PowerDNS
NSEC3PARAM for geoip backend is not compliant with RFC9276
- [ ] This is not a support question, I have read about opensource and will send support questions to the IRC channel, Github Discussions or the mailing list.
- [ ] I have read and understood the 'out in the open' support policy
- Program: Authoritative
- Issue type: Bug report
Short description
As I can see in source code of geoipbackend, it contains hardcoded NSEC3 parameters to start DNSSEC. But it looks like it should be changed to be compliant with RFC9276 recommendations regarding to nsec3 iteration's number and salt value. It looks like "1 0 1 f95a" at the moment. But should be like "1 0 0 -" according to RFC9276
Environment
- Operating system: Gentoo, Debian
- Software version: 4.6.4
- Software source: debian repository or gentoo repository
Steps to reproduce
- Install powerdns server with geoipbackend
- Start any simple instance with configured geoip-dnssec-keydir option
- Execute pdnsutil secure-zone
and verify it's parameters with pdnsutil show-zone
Expected behaviour
NSEC3PARAM 1 0 0 - expected afterall
Actual behaviour
NSEC3PARAM 1 0 1 f95a is used
Other information
Nothing to add. It's just a hardcoded parameters which need to be changed I believe. Because of NSEC3 RFC recommendations.
I believe I'm also seeing this, but I don't do anything with GeoIP.
I believe I'm also seeing this, but I don't do anything with GeoIP.
Then that most likely is configuration in your backend. We're happy to help you look if you take that question to Discussions
I believe I'm also seeing this, but I don't do anything with GeoIP.
Then that most likely is configuration in your backend. We're happy to help you look if you take that question to Discussions
Done: https://github.com/PowerDNS/pdns/discussions/14750. Probably not related to PowerDNS though.
There is actually a hardcoded NSEC3 param. https://github.com/PowerDNS/pdns/blob/master/modules/geoipbackend/geoipbackend.cc#L942
I guess this could be 1 0 1 -
