search

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist
https://www.powerdns.com/
GNU General Public License v2.0
3.73k stars 915 forks source link

NSEC3PARAM for geoip backend is not compliant with RFC9276 #14296

Closed rumato163 closed 2 weeks ago

rumato163 commented 6 months ago

Short description

As I can see in source code of geoipbackend, it contains hardcoded NSEC3 parameters to start DNSSEC. But it looks like it should be changed to be compliant with RFC9276 recommendations regarding to nsec3 iteration's number and salt value. It looks like "1 0 1 f95a" at the moment. But should be like "1 0 0 -" according to RFC9276

Environment

Expected behaviour

NSEC3PARAM  1 0 0 - expected afterall

Actual behaviour

NSEC3PARAM  1 0 1 f95a is used

Other information

Nothing to add. It's just a hardcoded parameters which need to be changed I believe. Because of NSEC3 RFC recommendations.

WilliamDEdwards commented 2 months ago

I believe I'm also seeing this, but I don't do anything with GeoIP.

Habbie commented 2 months ago

I believe I'm also seeing this, but I don't do anything with GeoIP.

Then that most likely is configuration in your backend. We're happy to help you look if you take that question to Discussions

WilliamDEdwards commented 2 months ago

I believe I'm also seeing this, but I don't do anything with GeoIP.

Then that most likely is configuration in your backend. We're happy to help you look if you take that question to Discussions

Done: https://github.com/PowerDNS/pdns/discussions/14750. Probably not related to PowerDNS though.

cmouse commented 2 months ago

There is actually a hardcoded NSEC3 param. https://github.com/PowerDNS/pdns/blob/master/modules/geoipbackend/geoipbackend.cc#L942

I guess this could be 1 0 1 -