[Opendnssec-develop] SHA-2 keys mixed up

Rick Zijlker rick.zijlker at sidn.nl
Thu Apr 29 17:03:27 CEST 2010


Hey,

 

(using RC1 SVN checkout)

 

When trying to sign with SHA-2 algorithms the auditor behaves strangely.
It looks like he is checking for RSASHA256 RRSIG where I configured
RSASHA512 and checking for RSASHA512 when I configured RSASHA256.

 

I used RSASHA512 (kasp algorithm 10) as KSK

I used RSASHA256 (kasp algorithm 8) as ZSK

 

It looks like the signing was done exactly the other way around.

 

"

Apr 29 16:59:41 signer1 ods-auditor[20801]: Auditor started

Apr 29 16:59:41 signer1 ods-auditor[20801]: Auditor starting on ods

Apr 29 16:59:41 signer1 ods-auditor[20801]: SOA differs : from 1000 to
1272553181

Apr 29 16:59:41 signer1 ods-auditor[20801]: Auditing ods zone : NSEC3
SIGNED

Apr 29 16:59:41 signer1 ods-auditor[20801]: RRSIGS should include
algorithm RSASHA256 for ods, DNSKEY, have : RSASHA512

Apr 29 16:59:41 signer1 ods-auditor[20801]: RRSIGS should include
algorithm RSASHA512 for ods, NS, have : RSASHA256

Apr 29 16:59:41 signer1 ods-auditor[20801]: RRSIGS should include
algorithm RSASHA512 for ods, MX, have : RSASHA256

Apr 29 16:59:41 signer1 ods-auditor[20801]: RRSIGS should include
algorithm RSASHA512 for ods, NSEC3PARAM, have : RSASHA256

Apr 29 16:59:41 signer1 ods-auditor[20801]: RRSIGS should include
algorithm RSASHA512 for ods, SOA, have : RSASHA256

Apr 29 16:59:41 signer1 ods-auditor[20801]: RRSIGS should include
algorithm RSASHA512 for 02ku2612atoobo27ukr87quljqikihon.ods, NSEC3,
have : RSASHA256

"

 

KASP:

"

                        <!-- Parameters for KSK only -->

                        <KSK>

                                <Algorithm length="2048">10</Algorithm>

                                <Lifetime>PT24H</Lifetime>

                                <Repository>SoftHSM</Repository>

                                <Standby>1</Standby>

                        </KSK>

 

                        <!-- Parameters for ZSK only -->

                        <ZSK>

                                <Algorithm length="1024">8</Algorithm>

                                <Lifetime>PT8H</Lifetime>

                                <Repository>SoftHSM</Repository>

                                <Standby>1</Standby>

                                <!-- <ManualRollover/> -->

                        </ZSK>

"

 

Zone file DNSKEY records:

"

[root at signer1 ~]# more /var/opendnssec/tmp/ods.signed|grep DNSKEY

ods.    1800    IN      DNSKEY  256 3 8
AwEAAbIH/ion9EQRO8Yruj5XSnSqkhAy2OaS2ktp/a+fpaiK52atk7vgnPZUjWMAlQmegdo2
Vps6z9K+SNASBBRhpqX9UouWgWb4G/GaGnOYCHT+TChb8umq8MCKxBYN1LnCQAR18QIDQONt
Vv+x/3DYfnkxsDAAqaowzKxFbAJ4G7BB ;{id = 8091 (zsk), size = 1024b}

ods.    1800    IN      DNSKEY  256 3 8
AwEAAbRJqcRzfzDPo+uRwNL3ath1QbKr3oBhlv944TEyX8tEjK/VEcNQC5VFS/JV8jacS/Gb
fnGB04Ht+JCFkJvGfAIw4LjJ9TTzZ8oy3x5XgbNhDQn4xRpMG5T7mV4Guucx+e67nX8iBwOW
2fAyNxwwoGmJx12u3k6oQsD53u432OJR ;{id = 28443 (zsk), size = 1024b}

ods.    1800    IN      DNSKEY  257 3 10
AwEAAbAAiotJfy/Ivw4jRhU3lD3zPUp0CmVEbDndaggAgmeGuM3Qzx+Eenz2Yy3G/UpkuNXH
6wXRKARWCT0Wyq5HQce13uVZofvqPCxoEvqvaX88Gc+/sKN/jBQlTZTAtF17PHEohk/aTs4c
/CoiZwwNy7NR4B1XiTJpeMgtjgLewCWz4V7oReVcW8ogN85e4k1BKhJIdiWB0vYGqx9t0t4a
9Em3GaODZh0VAwnuQEIe7QJOP4geOF5uJ74EJGbjZ6wdecnfVM3Sf6/duNqtN8dAMJ8jEQNU
NKEFpRJss5RbIdYWEvEHMH075t+Ee7zyQyG3z49rXn4AqDM7AzzTbsqChP0= ;{id =
33133 (ksk), size = 2048b}

ods.    1800    IN      RRSIG   DNSKEY 10 1 1800 20100429190836
20100429145841 33133 ods.
AjD4JFkw3hVIj8Qh0Bnqp195eCb1m9UoV6vZZfB+7q+Ma4lYG2Ltj1Hbfz81gxy0rePgRA6r
ZVnJ86zUIxgEmGs8XM9VQ9RfmNCdEkNem963Hp3yYarN5kB7WwtmGV/sq55Lt1ytv6/GW0kI
vXnH+vBnxLoHD2Xq5u6rHTyG7Tgwhx/2NWhLEgINEKAdlEjufbMyfM+Z+YvoYof/CxSwQzZg
Ik5ff/KCbItqAMFsDYrMGf9wh2cIELUfOoUQOYOS2oHSinHrEFtG6Ko1yPgHJLJt3xkDxMZ3
EJ5bk98O+MdZH1GQTEnCoB6kL9XPYq4Ebn1T8SJHzwLVYS2hYRkJdA== ;{id = 33133}

8dqhts2b5d7cfosiksnb8baps788o74o.ods.   1200    IN      NSEC3   1 0 8
9adcb9a44c6c005c  8mboqi27kmodfu4o4l6q9vv1u883recr A NS SOA MX RRSIG
DNSKEY NSEC3PARAM

"

 

Am I doing something wrong here?

 

p.s. Queensday tomorrow, so will be reading replies on Monday.

 

Cheers,

Rick

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100429/b2119972/attachment.html>


More information about the Opendnssec-develop mailing list