[Opendnssec-develop] RRSIG's mixed up

Rick Zijlker rick.zijlker at sidn.nl
Tue Mar 2 13:56:23 UTC 2010 

Hey guys,

 

We signed a fresh unsigned nl-zone (NSEC3 optout) with 10% DS records in
zone and see difference between RRSIG records. I cleaned everything
before signing. Empty /tmp and /signed directories, updated configs and
restarted engines. At first few domains we see them as expected:

 

test.nl.       7200    IN      NS      ns1.sidn.nl.

test.nl.       7200    IN      NS      ns2.sidn.nl.

test.nl.       7200    IN      NS      ns3.sidn.nl.

test.nl.       7200    IN      DS      22922 7 1
f62411de95a5b7bcabe976c0e65034a35a9fa937 ;
xutid-gygat-vihop-hutur-sypiv-natos-binah-bytyp-fekyn-zypof-lyxix

test.nl.       7200    IN      RRSIG   DS 7 2 7200 20100309181443
20100302104953 19763 nl.
WX6fOSxaHgrb0mjzcBdQ6uK5bfAwYhBCQrZoB+he7O44fnXIovZrYgFb/yC92UN+J90MShRE
93fHlOcgQKnfeyVqv3Inde7NkG5tNiOPvpd4vhGyplQXg0FwhPuvc4nm5YN8EXuFLNNJiYo2
w67kKrcS9O3060IPxBNU6HLIhK0= ;{id = 19763}

000aui1rb6m0jg9ossds01v4esqlrhhg.nl.    3600    IN      NSEC3   1 1 5
95c66b1754a40aea  000d8j29h5rgect8v386ctgmntsl4cse NS DS RRSIG  ; flags:
optout

000aui1rb6m0jg9ossds01v4esqlrhhg.nl.    3600    IN      RRSIG   NSEC3 7
2 3600 20100309152412 20100302104953 19763 nl.
Ej2fatgOImaUGkNYgUMpi3NqIerlqTG1QaRp0T93DSWdM/QMbGIp+lHzRIYWkvtGx/TmhOEJ
0ZDEUjoh1XmQcqJVmIQWzqqQfpyNo4vC8/szkM4uJfxJi+xzBGDDsfTZqMPMkrFFiTrT3C50
CZDNgPjWp49tWaILwE6cLfozE0c= ;{id = 19763}

 

A few domains later it looks like the RRSIG records are incomplete:

 

test2.nl.     7200    IN      NS      ns3.sidn.nl.

test2.nl.     7200    IN      NS      ns4.sidn.nl.

test2.nl.     7200    IN      DS      22922 7 1
f62411de95a5b7bcabe976c0e65034a35a9fa937 ;
xutid-gygat-vihop-hutur-sypiv-natos-binah-bytyp-fekyn-zypof-lyxix

BAmqHGpeiWfEVeWmn/RRKCvQSyD0YAlVXwyxdSUKDWUG2x9AXY5ZNhNoj7KUdjYEgjRsUFQ=
;{id = 19763}

000ffl0k09ookdoophflkd44d7i7v99k.nl.    3600    IN      NSEC3   1 1 5
95c66b1754a40aea  000fqll6rdl9ihdj318hrbc95q4putdk NS DS RRSIG  ; flags:
optout

CPB1Ubiw4FpfufE2zuAaa/r6w+uLALMuwsqUasNRCdORvGHwEzR0VfcrLaw8YOv6op/8c4KK
pyi28JbCp0= ;{id = 19763}

 

It seems as if there is an incomplete hash instead of RRSIG record.
Later there are complete RRSIG records again.

 

Another question, what exactly is the meaning of the
"xutid-gygat-vihop...." String in the DS record? I can't find anything
in the RFC's explaining this added comment.

 

Cheers,

Rick

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100302/44825699/attachment.htm>

More information about the Opendnssec-develop mailing list