[Opendnssec-develop] SHA-2 keys mixed up
Rick Zijlker
rick.zijlker at sidn.nl
Thu Apr 29 15:03:27 UTC 2010
Hey,
(using RC1 SVN checkout)
When trying to sign with SHA-2 algorithms the auditor behaves strangely.
It looks like he is checking for RSASHA256 RRSIG where I configured
RSASHA512 and checking for RSASHA512 when I configured RSASHA256.
I used RSASHA512 (kasp algorithm 10) as KSK
I used RSASHA256 (kasp algorithm 8) as ZSK
It looks like the signing was done exactly the other way around.
"
Apr 29 16:59:41 signer1 ods-auditor[20801]: Auditor started
Apr 29 16:59:41 signer1 ods-auditor[20801]: Auditor starting on ods
Apr 29 16:59:41 signer1 ods-auditor[20801]: SOA differs : from 1000 to
1272553181
Apr 29 16:59:41 signer1 ods-auditor[20801]: Auditing ods zone : NSEC3
SIGNED
Apr 29 16:59:41 signer1 ods-auditor[20801]: RRSIGS should include
algorithm RSASHA256 for ods, DNSKEY, have : RSASHA512
Apr 29 16:59:41 signer1 ods-auditor[20801]: RRSIGS should include
algorithm RSASHA512 for ods, NS, have : RSASHA256
Apr 29 16:59:41 signer1 ods-auditor[20801]: RRSIGS should include
algorithm RSASHA512 for ods, MX, have : RSASHA256
Apr 29 16:59:41 signer1 ods-auditor[20801]: RRSIGS should include
algorithm RSASHA512 for ods, NSEC3PARAM, have : RSASHA256
Apr 29 16:59:41 signer1 ods-auditor[20801]: RRSIGS should include
algorithm RSASHA512 for ods, SOA, have : RSASHA256
Apr 29 16:59:41 signer1 ods-auditor[20801]: RRSIGS should include
algorithm RSASHA512 for 02ku2612atoobo27ukr87quljqikihon.ods, NSEC3,
have : RSASHA256
"
KASP:
"
<!-- Parameters for KSK only -->
<KSK>
<Algorithm length="2048">10</Algorithm>
<Lifetime>PT24H</Lifetime>
<Repository>SoftHSM</Repository>
<Standby>1</Standby>
</KSK>
<!-- Parameters for ZSK only -->
<ZSK>
<Algorithm length="1024">8</Algorithm>
<Lifetime>PT8H</Lifetime>
<Repository>SoftHSM</Repository>
<Standby>1</Standby>
<!-- <ManualRollover/> -->
</ZSK>
"
Zone file DNSKEY records:
"
[root at signer1 ~]# more /var/opendnssec/tmp/ods.signed|grep DNSKEY
ods. 1800 IN DNSKEY 256 3 8
AwEAAbIH/ion9EQRO8Yruj5XSnSqkhAy2OaS2ktp/a+fpaiK52atk7vgnPZUjWMAlQmegdo2
Vps6z9K+SNASBBRhpqX9UouWgWb4G/GaGnOYCHT+TChb8umq8MCKxBYN1LnCQAR18QIDQONt
Vv+x/3DYfnkxsDAAqaowzKxFbAJ4G7BB ;{id = 8091 (zsk), size = 1024b}
ods. 1800 IN DNSKEY 256 3 8
AwEAAbRJqcRzfzDPo+uRwNL3ath1QbKr3oBhlv944TEyX8tEjK/VEcNQC5VFS/JV8jacS/Gb
fnGB04Ht+JCFkJvGfAIw4LjJ9TTzZ8oy3x5XgbNhDQn4xRpMG5T7mV4Guucx+e67nX8iBwOW
2fAyNxwwoGmJx12u3k6oQsD53u432OJR ;{id = 28443 (zsk), size = 1024b}
ods. 1800 IN DNSKEY 257 3 10
AwEAAbAAiotJfy/Ivw4jRhU3lD3zPUp0CmVEbDndaggAgmeGuM3Qzx+Eenz2Yy3G/UpkuNXH
6wXRKARWCT0Wyq5HQce13uVZofvqPCxoEvqvaX88Gc+/sKN/jBQlTZTAtF17PHEohk/aTs4c
/CoiZwwNy7NR4B1XiTJpeMgtjgLewCWz4V7oReVcW8ogN85e4k1BKhJIdiWB0vYGqx9t0t4a
9Em3GaODZh0VAwnuQEIe7QJOP4geOF5uJ74EJGbjZ6wdecnfVM3Sf6/duNqtN8dAMJ8jEQNU
NKEFpRJss5RbIdYWEvEHMH075t+Ee7zyQyG3z49rXn4AqDM7AzzTbsqChP0= ;{id =
33133 (ksk), size = 2048b}
ods. 1800 IN RRSIG DNSKEY 10 1 1800 20100429190836
20100429145841 33133 ods.
AjD4JFkw3hVIj8Qh0Bnqp195eCb1m9UoV6vZZfB+7q+Ma4lYG2Ltj1Hbfz81gxy0rePgRA6r
ZVnJ86zUIxgEmGs8XM9VQ9RfmNCdEkNem963Hp3yYarN5kB7WwtmGV/sq55Lt1ytv6/GW0kI
vXnH+vBnxLoHD2Xq5u6rHTyG7Tgwhx/2NWhLEgINEKAdlEjufbMyfM+Z+YvoYof/CxSwQzZg
Ik5ff/KCbItqAMFsDYrMGf9wh2cIELUfOoUQOYOS2oHSinHrEFtG6Ko1yPgHJLJt3xkDxMZ3
EJ5bk98O+MdZH1GQTEnCoB6kL9XPYq4Ebn1T8SJHzwLVYS2hYRkJdA== ;{id = 33133}
8dqhts2b5d7cfosiksnb8baps788o74o.ods. 1200 IN NSEC3 1 0 8
9adcb9a44c6c005c 8mboqi27kmodfu4o4l6q9vv1u883recr A NS SOA MX RRSIG
DNSKEY NSEC3PARAM
"
Am I doing something wrong here?
p.s. Queensday tomorrow, so will be reading replies on Monday.
Cheers,
Rick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100429/b2119972/attachment.htm>
More information about the Opendnssec-develop
mailing list