$Id: DNSSEC,v 1.1.1.1 2000/06/09 23:12:53 wsanchez Exp $

DNSSEC Notes:

This file contains description of two interoperabilty problems related
to DNSSEC that only affect sites using DNSSEC.

1. All versions of bind-8 older than 8.2.2 

Between versions 8.2.1 and 8.2.2 the printed format of SIG records
changed. As a result, using a signer, named and named-xfer of
differrent versions will cause parsing errors on signed zonefiles.
Included is an AWK program that converts old signed zone files to new 
new format, see contrib/dns_signer/add_labels.awk 
Usage: awk -f <path>/contrib/dns_signer/add_labels.awk <signed_zone >fixed_zone

2. BIND-8.1 BIND-8.1.1 BIND-8.1.2 Interoperability

If you wish to use BIND-8.1.x as a master server (either primary or
secondary) for DNSSEC signed zone you MUST apply the following patch
to the file src/bin/named/db_load.c. It fixes a bug that rejects
valid RSA signatures on load. 
You can patch the file by running following command from this directory 
	patch -d bin/named   <DNSSEC 

--- db_load.c.old	Mon Oct 11 15:21:24 1999
+++ db_load.c	Mon Oct 11 15:21:38 1999
@@ -1123,9 +1123,6 @@
 				ERRTO("Signature too short");
 			if (siglen > (NS_MD5RSA_MAX_BITS + 7) / 8)
 				ERRTO("Signature too long");
-			/* We rely on  cp  from parse */
-			if (*cp == 0)
-				ERRTO("Signature starts with zeroes");
 			break;
 
 		case NS_ALG_EXPIRE_ONLY:


