[GNC-dev] GnuCash DNSSec bindings still "bogus"?
derek at ihtfp.com
Mon Jul 26 10:57:27 EDT 2021
Sorry, this was a false alarm.
The evaluation was 4 days old (from 7/22).
I forced the site to re-evaluate and the errors went away.
Now we're just down to the glue record warning, but the domain is secure.
On Mon, July 26, 2021 10:20 am, Derek Atkins wrote:
> There was a bug report when DNSsec was down, which pointed to a reddit
> thread, which pointed me to https://dnsviz.net/d/www.gnucash.org/dnssec/
> This is an interesting website which is pointing out two issues with the
> gnucash.org domain:
> 1) A warning that the glue records for my nameserver don't match the
> authoritative data. The issue here is that I have multiple IPv6 addresses
> for that server, but only one of them is listed in the glue record. As of
> right now, I can't figure out a way to list multiple v6 addresses in the
> glue record. I've reached out to my DNS registrar to figure out if there
> is a way to fix this, but a quick google search seems to imply that it is
> not supported. :(
> 2) An error that there are no valid RRSIGs created by a key corresponding
> to a DS RR covering the DNSKEY RRset, resulting in no secure entry point
> (SEP) into the zone. This seems to imply you need to go to the
> gnucash.org registrar and make sure the DS record(s) there correspond to
> the correct keys you've got locally.
> For some reason they still have the expired sigs cached. Not sure why,
> other than that they have a 3-day TTL, but that should have expired at
> least by yesterday.
> We should get these issues fixed.
> Derek Atkins 617-623-3745
> derek at ihtfp.com www.ihtfp.com
> Computer and Internet Security Consultant
> gnucash-devel mailing list
> gnucash-devel at gnucash.org
Derek Atkins 617-623-3745
derek at ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
More information about the gnucash-devel