[GNC-dev] GnuCash DNSSec bindings still "bogus"?
Derek Atkins
derek at ihtfp.com
Mon Jul 26 10:20:16 EDT 2021
HI,
There was a bug report when DNSsec was down, which pointed to a reddit
thread, which pointed me to https://dnsviz.net/d/www.gnucash.org/dnssec/
This is an interesting website which is pointing out two issues with the
gnucash.org domain:
1) A warning that the glue records for my nameserver don't match the
authoritative data. The issue here is that I have multiple IPv6 addresses
for that server, but only one of them is listed in the glue record. As of
right now, I can't figure out a way to list multiple v6 addresses in the
glue record. I've reached out to my DNS registrar to figure out if there
is a way to fix this, but a quick google search seems to imply that it is
not supported. :(
2) An error that there are no valid RRSIGs created by a key corresponding
to a DS RR covering the DNSKEY RRset, resulting in no secure entry point
(SEP) into the zone. This seems to imply you need to go to the
gnucash.org registrar and make sure the DS record(s) there correspond to
the correct keys you've got locally.
For some reason they still have the expired sigs cached. Not sure why,
other than that they have a 3-day TTL, but that should have expired at
least by yesterday.
We should get these issues fixed.
-derek
--
Derek Atkins 617-623-3745
derek at ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
More information about the gnucash-devel
mailing list