Re: Problem validating NSEC signatures

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Nov 6, 2009, at 3:53 AM, Tom wrote:

> Hi,
>
> I've had a few issues trying to validate NSEC records. I am using
> dnsjava to load a zonefile and then validate signatures. All
> signatures so far have been fine with the exception of RRSIGs for NSEC
> records.
>
> When re-constructing the data for the signature the first record type
> of the NSEC record seems to be missed in the output, eg.
>
> www.tom.        3600    IN      NSEC    www2.tom. A RRSIG NSEC
> www.tom.        3600    IN      RRSIG   NSEC 5 2 3600 20091118194406
> 20091104163457 56229 tom. wVc0nokSM..... ;{id = 56229}
>
> With these records TypeBitmap.toWire() will only add the types RRSIGN
> and NSEC to the RRDATA - in other words, it misses out the A.
>
> If I initialize the mapbase variable in the code to 0 instead of -1 it
> works. I can't really follow the code so this could be a dumb
> suggestion ;-)

I received a patch to fix this problem earlier today, and it's now  
applied to the svn repository.

Thanks for the report!

Brian