[Opendnssec-develop] signature verification

Roland van Rijswijk roland.vanrijswijk at surfnet.nl
Fri Nov 27 15:42:03 UTC 2009

Hi Matthijs,

IMHO this is a blocking issue, right? It is not acceptable if the
signatures output by the signer are invalid because of a bug in either
softHSM or Botan. I assume that Rickard is checking out what causes
this? If this cannot be fixed at short notice we should consider a 'plan
B' so the release of OpenDNSSEC does not have to be postponed because of
a bug in either softHSM or Botan.

BTW, is it a reproducable bug -- i.e. will it consistently output a
wrong signature given the same input data or is the problem
intermittent? (the latter would be far worse than the former)



Matthijs Mekking wrote:
> Hi,
> We have discovered that the signer with softHSM sometimes can output an
> invalid signature.
> In order to prevent this ending up in the signed zonefile, we should
> audit the signatures. Of course, we have the auditor, but we discourage
> people to turn it off for large zones.
> So, I have added a signature check in the signer, right after libhsm
> returned it. This option adds about 19% latency on signature creation.
> Thus, we should make this option configurable.
> I'm not sure where this option should go, build or run time?
> We could also add a third signature check in the softHSM. Imo, that
> could facilitate debugging, assuming that the bug is in Botan.
> Any thoughts?
> Matthijs
Opendnssec-develop mailing list
Opendnssec-develop at lists.opendnssec.org

-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl

More information about the Opendnssec-develop mailing list