Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: DNSSEC migration #15190

Merged
merged 2 commits into from
Feb 21, 2025
Merged

docs: DNSSEC migration #15190

merged 2 commits into from
Feb 21, 2025

Conversation

jsoref
Copy link
Contributor

@jsoref jsoref commented Feb 20, 2025

Short description

Small tweaks to DNSSEC migration

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

Habbie
Habbie reviewed Feb 20, 2025
View reviewed changes
docs/dnssec/migration.rst
zone with no configured NSEC3, it will appear as algorithm 5!
Within PowerDNS, the ``algorithm`` for RSASHA1 keys is modulated
based on the NSEC3 setting. So if an ``algorithm=7`` key is imported in a
zone with no configured NSEC3, it will appear as ``algorithm 5``!
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a vague recollection we got rid of that modulation code, but somebody would have to check.

Copy link
Contributor

@miodvallat miodvallat Feb 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well I see explicit replacement of rsa-sha1-nsec3-sha1 (algo 7) with rsa-sha1 (algo 5) in pdnsutil for both import-zone-key and import-zone-key-pem commands, so I am tempted to believe this still applies.

There's a similer replacement in the API, prefixed with

     // TODO remove in 4.2.0

so I suppose there have been plans to stop doing that, but they were never completed.

@coveralls
Copy link

Pull Request Test Coverage Report for Build 13444956564

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • 45 unchanged lines in 8 files lost coverage.
  • Overall coverage increased (+3.8%) to 64.499%
Files with Coverage Reduction New Missed Lines %
modules/gpgsqlbackend/gpgsqlbackend.cc 1 88.62%
ext/json11/json11.cpp 2 62.72%
pdns/distributor.hh 2 51.86%
pdns/misc.cc 2 62.73%
pdns/recursordist/rec-tcpout.cc 6 50.79%
pdns/dnsdistdist/dnsdist-tcp.cc 8 75.82%
pdns/recursordist/test-syncres_cc1.cc 8 89.22%
modules/lmdbbackend/lmdbbackend.cc 16 72.88%
Totals Coverage Status
Change from base Build 13433765276: 3.8%
Covered Lines: 127626
Relevant Lines: 166905
💛 - Coveralls

@miodvallat miodvallat merged commit 2a2919e into PowerDNS:master Feb 21, 2025
83 checks passed
@jsoref jsoref deleted the dnssec-migration branch February 21, 2025 12:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Habbie Habbie Habbie left review comments

@miodvallat miodvallat miodvallat approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jsoref @coveralls @Habbie @miodvallat