You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
RFC 4034 requires that a DNSKEY used to verify DNSSEC signatures MUST have protocol 3 and the ZONE flag set. Dnspython currently does not impose these restrictions when validating. Note that this is a standards compliance problem more than a security problem, as a real world DNSSEC validation using such keys could only succeed if the legitimate authority had actually published them since the flags and protocol are included in the DS digest.
Note that It's ok that dnspython can generate such keys and sign with them, so long as it doesn't do this by default, as that is useful for testing.
Context (please complete the following information):
dnspython: 2.4.0
Python version: any
OS: any
The text was updated successfully, but these errors were encountered:
Describe the bug
RFC 4034 requires that a DNSKEY used to verify DNSSEC signatures MUST have protocol 3 and the ZONE flag set. Dnspython currently does not impose these restrictions when validating. Note that this is a standards compliance problem more than a security problem, as a real world DNSSEC validation using such keys could only succeed if the legitimate authority had actually published them since the flags and protocol are included in the DS digest.
Note that It's ok that dnspython can generate such keys and sign with them, so long as it doesn't do this by default, as that is useful for testing.
Context (please complete the following information):
The text was updated successfully, but these errors were encountered: