[GNC-dev] GnuCash DNSSec bindings still "bogus"?

Derek Atkins derek at ihtfp.com
Mon Jul 26 10:57:27 EDT 2021


HI Linas,
Sorry, this was a false alarm.
The evaluation was 4 days old (from 7/22).
I forced the site to re-evaluate and the errors went away.
Now we're just down to the glue record warning, but the domain is secure.
-derek

On Mon, July 26, 2021 10:20 am, Derek Atkins wrote:
> HI,
>
> There was a bug report when DNSsec was down, which pointed to a reddit
> thread, which pointed me to https://dnsviz.net/d/www.gnucash.org/dnssec/
> This is an interesting website which is pointing out two issues with the
> gnucash.org domain:
>
> 1) A warning that the glue records for my nameserver don't match the
> authoritative data.  The issue here is that I have multiple IPv6 addresses
> for that server, but only one of them is listed in the glue record.  As of
> right now, I can't figure out a way to list multiple v6 addresses in the
> glue record.  I've reached out to my DNS registrar to figure out if there
> is a way to fix this, but a quick google search seems to imply that it is
> not supported.  :(
>
> 2) An error that there are no valid RRSIGs created by a key corresponding
> to a DS RR covering the DNSKEY RRset, resulting in no secure entry point
> (SEP) into the zone.  This seems to imply you need to go to the
> gnucash.org registrar and make sure the DS record(s) there correspond to
> the correct keys you've got locally.
>
> For some reason they still have the expired sigs cached.  Not sure why,
> other than that they have a 3-day TTL, but that should have expired at
> least by yesterday.
>
> We should get these issues fixed.
>
> -derek
>
> --
>        Derek Atkins                 617-623-3745
>        derek at ihtfp.com             www.ihtfp.com
>        Computer and Internet Security Consultant
> _______________________________________________
> gnucash-devel mailing list
> gnucash-devel at gnucash.org
> https://lists.gnucash.org/mailman/listinfo/gnucash-devel
>


-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant



More information about the gnucash-devel mailing list