[Opendnssec-develop] signature verification
Roland van Rijswijk
roland.vanrijswijk at surfnet.nl
Fri Nov 27 15:42:03 UTC 2009
Hi Matthijs,
IMHO this is a blocking issue, right? It is not acceptable if the
signatures output by the signer are invalid because of a bug in either
softHSM or Botan. I assume that Rickard is checking out what causes
this? If this cannot be fixed at short notice we should consider a 'plan
B' so the release of OpenDNSSEC does not have to be postponed because of
a bug in either softHSM or Botan.
BTW, is it a reproducable bug -- i.e. will it consistently output a
wrong signature given the same input data or is the problem
intermittent? (the latter would be far worse than the former)
Cheers,
Roland
Matthijs Mekking wrote:
> Hi,
>
> We have discovered that the signer with softHSM sometimes can output an
> invalid signature.
>
> In order to prevent this ending up in the signed zonefile, we should
> audit the signatures. Of course, we have the auditor, but we discourage
> people to turn it off for large zones.
>
> So, I have added a signature check in the signer, right after libhsm
> returned it. This option adds about 19% latency on signature creation.
> Thus, we should make this option configurable.
>
> I'm not sure where this option should go, build or run time?
>
> We could also add a third signature check in the softHSM. Imo, that
> could facilitate debugging, assuming that the bug is in Botan.
>
>
> Any thoughts?
>
>
> Matthijs
_______________________________________________
Opendnssec-develop mailing list
Opendnssec-develop at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
--
-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl
More information about the Opendnssec-develop
mailing list