1 $Id: DNSSEC,v 8.2 1999/10/12 18:23:27 ogud Exp $
5 This file contains description of two interoperabilty problems related
6 to DNSSEC that only affect sites using DNSSEC.
8 1. All versions of bind-8 older than 8.2.2
10 Between versions 8.2.1 and 8.2.2 the printed format of SIG records
11 changed. As a result, using a signer, named and named-xfer of
12 differrent versions will cause parsing errors on signed zonefiles.
13 Included is an AWK program that converts old signed zone files to new
14 new format, see contrib/dns_signer/add_labels.awk
15 Usage: awk -f <path>/contrib/dns_signer/add_labels.awk <signed_zone >fixed_zone
17 2. BIND-8.1 BIND-8.1.1 BIND-8.1.2 Interoperability
19 If you wish to use BIND-8.1.x as a master server (either primary or
20 secondary) for DNSSEC signed zone you MUST apply the following patch
21 to the file src/bin/named/db_load.c. It fixes a bug that rejects
22 valid RSA signatures on load.
23 You can patch the file by running following command from this directory
24 patch -d bin/named <DNSSEC
26 --- db_load.c.old Mon Oct 11 15:21:24 1999
27 +++ db_load.c Mon Oct 11 15:21:38 1999
29 ERRTO("Signature too short");
30 if (siglen > (NS_MD5RSA_MAX_BITS + 7) / 8)
31 ERRTO("Signature too long");
32 - /* We rely on cp from parse */
34 - ERRTO("Signature starts with zeroes");
37 case NS_ALG_EXPIRE_ONLY: