[GNC-dev] GnuCash DNSSec bindings still "bogus"?

Derek Atkins derek at ihtfp.com
Mon Jul 26 10:20:16 EDT 2021


There was a bug report when DNSsec was down, which pointed to a reddit
thread, which pointed me to https://dnsviz.net/d/www.gnucash.org/dnssec/
This is an interesting website which is pointing out two issues with the
gnucash.org domain:

1) A warning that the glue records for my nameserver don't match the
authoritative data.  The issue here is that I have multiple IPv6 addresses
for that server, but only one of them is listed in the glue record.  As of
right now, I can't figure out a way to list multiple v6 addresses in the
glue record.  I've reached out to my DNS registrar to figure out if there
is a way to fix this, but a quick google search seems to imply that it is
not supported.  :(

2) An error that there are no valid RRSIGs created by a key corresponding
to a DS RR covering the DNSKEY RRset, resulting in no secure entry point
(SEP) into the zone.  This seems to imply you need to go to the
gnucash.org registrar and make sure the DS record(s) there correspond to
the correct keys you've got locally.

For some reason they still have the expired sigs cached.  Not sure why,
other than that they have a 3-day TTL, but that should have expired at
least by yesterday.

We should get these issues fixed.


       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

More information about the gnucash-devel mailing list