[Opendnssec-develop] signature verification

Matthijs Mekking matthijs at NLnetLabs.nl
Fri Nov 27 11:20:02 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

We have discovered that the signer with softHSM sometimes can output an
invalid signature.

In order to prevent this ending up in the signed zonefile, we should
audit the signatures. Of course, we have the auditor, but we discourage
people to turn it off for large zones.

So, I have added a signature check in the signer, right after libhsm
returned it. This option adds about 19% latency on signature creation.
Thus, we should make this option configurable.

I'm not sure where this option should go, build or run time?

We could also add a third signature check in the softHSM. Imo, that
could facilitate debugging, assuming that the bug is in Botan.


Any thoughts?


Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJLD7XaAAoJEA8yVCPsQCW5uooH/2f79qdwil3w7V09fYpHe9KJ
gX1ADooCsqRaW3tagIIiuuhUCDRPcOpLJ0YdvOXr3rMeX0IL8jXz9xyF2CpajLtM
WhQ/+YiiWl+uGVaiam56kwELDqMkL5Zin04ZFm4W6K1wXAcQM4o/5iO+1yKp5TwV
oKBpQvHAnS/vBXvCHfrs9Rr5z4axLrnccFVNZ2SqK4kxxWAUqNaZB5pp9kpjguKG
YRQefFYz3sUYN8jvhr2rpzItjmCdJ73auIabk6T0KtuBpjwGJ5lrf816S88tL9IJ
aqh9GJ6tt/tDaOJkFOggFMXO+IrW2/+Wy59togEtpOeVUGRWQV0V3DBVQLC0pkk=
=qMfF
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list