-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathKNOWN_ISSUES
70 lines (46 loc) · 2.43 KB
/
KNOWN_ISSUES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
$Id$
OpenDNSSEC 1.4.0 - Known Restrictions
The following are the known problems and/or restrictions of release 1.4.0 of
OpenDNSSEC.
BUGS:
-----
OPENDNSSEC-332: Statistics on average sigs/sec not accurate
OPENDNSSEC-437: Problem with invalid signatures on SOA RRset.
Limitations on Number of Zones
------------------------------
Owing to contention in the key management database, performance is degraded if
OpenDNSSEC is used to sign large numbers of zones that do not share common
keys. The problem is worse if SQLite is used for the key and signature manager
database.
As a workaround, we suggest that either the same key is used for all zones, or
that the number of zones be limited to about 5,000.
This will be addressed in a future release of the software.
Issue with rolling from one algorithm to another
------------------------------------------------
The current version will handle key rollovers that also change algorithm just
the same as any other key rollover. This is not sufficient; and so rolling
between algorithms is broken and should not be done with the current system.
Handling of external command calls
----------------------------------
External commands (e.g. NotifyCommand or DelegationSignerSubmitCommand) are
called with popen. This can lead to errors with these external scripts not
being noticed by OpenDNSSEC. It is therefore recommended that when writing
scripts like these that they log enough information for the user to tell
independently if they failed.
Maximum number of HSMs
----------------------
The datatype of the column storing HSMs in the kasp database is only large
enough to store 127 separate HSMs (with a MySQL backend).
Quotation marks in strings
--------------------------
Enforcer does not remove/handle any quotation marks in the imported strings.
This will create a problem when importing the information from e.g. the policy
description field into the Enforcer database.
Intermittent segmentation faults on FreeBSD 9 amd64
-------------------------------------------------
Segmentation faults in _pthread_mutex_init_calloc_cb () from /lib/libc.so.7
have been intermittently seen when running regression tests on our FreeBSD
test server (amd64, FreeBSD 9.0-RELEASE-p3). The segfaults have been seen to
originate in the enforcer, the signer and SQLite on different occasions. These
appear to be due to a bug in the FreeBSD malloc/pthread implementation and are
not due to issues in the OpenDNSSEC code.