[Opendnssec-develop] [OpenDNSSEC] #189: Auditor fails to validate CERT RR
OpenDNSSEC
owner-dnssec-trac at kirei.se
Sun Oct 31 01:54:03 UTC 2010
#189: Auditor fails to validate CERT RR
-----------------------------------------------------+----------------------
Reporter: Marc Dequènes (Duck) <duck@…> | Owner: alex
Type: defect | Status: new
Priority: critical | Component: Auditor
Version: trunk | Keywords:
-----------------------------------------------------+----------------------
I've got a CERT entry in my zone:
host -t cert orfeo.duckcorp.org
The zone has been freshly created and cannot be published because of a
reject from the auditor. Apparently, it uses a buffer too short, resulting
in a truncated RR content and failed comparison of the unsigned/signed
zone. The file '/var/lib/opendnssec/tmp/duckcorp.org.finalized' contains a
CERT entry which is not truncated, that's why i think the auditor is at
fault.
The corresponding log follows:
{{{
Oct 31 02:28:12 Orfeo ods-signerd: signer stderr: Warning: unable to open
/var/lib/opendnssec/tmp/duckcorp.org.signed: No such file or directory,
performing full zone sign
Oct 31 02:28:12 Orfeo ods-signerd: signer stderr: signer: number of
signatures created: 230 (230 rr/sec)
Oct 31 02:28:12 Orfeo ods-signerd: Created 230 new signatures
Oct 31 02:28:12 Orfeo ods-signerd: Run command:
'/usr/lib/opendnssec/opendnssec/finalizer -f
/var/lib/opendnssec/tmp/duckcorp.org.signed -x
/var/lib/opendnssec/tmp/duckcorp.org.optout'
Oct 31 02:28:12 Orfeo ods-signerd: Running auditor on zone
Oct 31 02:28:12 Orfeo ods-signerd: Run command: '/usr/bin/ods-auditor -c
/etc/opendnssec/conf.xml -s /var/lib/opendnssec/tmp/duckcorp.org.finalized
-z duckcorp.org'
Oct 31 02:28:12 Orfeo ods-auditor[1861]: Auditor started
Oct 31 02:28:12 Orfeo ods-auditor[1861]: Auditor starting on duckcorp.org
Oct 31 02:28:12 Orfeo ods-auditor[1861]: SOA differs : from 2010102900 to
2010103100
Oct 31 02:28:12 Orfeo ods-auditor[1861]: Auditing duckcorp.org zone :
NSEC3 SIGNED
Oct 31 02:28:13 Orfeo ods-auditor[1861]: non-DNSSEC RRSet CERT included in
Output that was not present in Input :
orfeo.duckcorp.org.#0113600#011IN#011CERT#011PKIX 0 RESERVED
MIICozCCAgygAwIBAgIJANIuJ9N8HJH5MA0GCSqGSIb3DQEBBAUAMH4xCzAJBgNVBAYTAkRMMREwDwYDVQQIEwhEdWNrTGFuZDERMA8GA1UEBxMIRHVja0NpdHkxETAPBgNVBAoTCER1Y2tDb3JwMRQwEgYDVQQDEwtEdWNrQ29ycCBDQTEgMB4GCSqGSIb3DQEJARYRcm9vdEBkdWNrY29ycC5vcmcwHhcNMDUwNzE0MTUxMDM0WhcNMDYwNzE0MTUxMDM0WjCBqDELMAkGA1UEBhMCREwxETAPBgNVBAgTCER1Y2tMYW5kMREwDwYDVQQHEwhEdWNrQ2l0eTERMA8GA1UEChMIRHVja0NvcnAxITAfBgNVBAsTGER1Y2tDb3JwIE1hc3RlciBWUE4gTm9kZTEbMBkGA1UEAxMSb3JmZW8uZHVja2NvcnAub3JnMSAwHgYJKoZIhvcNAQkBFhFyb290QGR1Y2tjb3JwLm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAp8P7+niUl1jD9EGEMkkyY/TCGpWotXORWMdIQhL34MOWievTjNPPfuU+p42VqjAYOcGyUYPDDcMLIsII0eIVbn4lUr+oi0MFJR7DeyoZCdnVi3k6mudtU51I1+2MfUQtUcTeSZ+9363ylfdp0XX+pedX1ojqK4nRaMe0yi01XY0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQA4j1eUO2A4/Pc37hNgcPqrHJmhRIagps9kQOn9ENf8j1cHjis73kIbR+31ZW6W5nOlcFXUAqXeELjfbdWO0eRBjw9Op9aZ0PEWRSXUduMnU3HE6dsyAEQ5eXfYQSxJ+E5pgxTf5kC4OFBFom30Ept9GM6cKGBxDVyP4/7IbmErUg==
Oct 31 02:28:13 Orfeo ods-auditor[1861]: Output zone does not contain non-
DNSSEC RRSet : CERT, orfeo.duckcorp.org.#0113600#011IN#011CERT#011PKIX 0
RESERVED MIICozCCAgygAwIBAgIJANIuJ9N8HJH5MA0GCSqGSIb3DQEBBAUAMH4xCzAJBgNV
Oct 31 02:28:13 Orfeo ods-auditor[1861]: Finished auditing duckcorp.org
zone
}}}
DNSSEC is most useful to protect security information, like CERT and SSHFP
entries, that's why i consider this problem defeats the software's purpose
and raised the severity to critical.
--
Ticket URL: <http://trac.opendnssec.org/ticket/189>
OpenDNSSEC <http://www.opendnssec.org/>
OpenDNSSEC
More information about the Opendnssec-develop
mailing list