[Opendnssec-develop] Removing leading zeroes

Rickard Bellgrim rickard at opendnssec.org
Thu Mar 1 08:29:56 UTC 2012


I have reviewed and edited the patch about DNSKEY with leading zeroes.
It has been applied to 1.2, 1.3, and trunk. You can find the commit in
r6191 (http://fisheye.opendnssec.org/changelog/opendnssec?cs=6191).

It is difficult for us to detect any system running with this bug, so
the following text was written for the NEWS-file:

HSM SCA 6000 in combination with OpenCryptoki can return RSA key
material with leading zeroes. DNSSEC does not allow leading zeroes in
key data. You are affected by this bug if your DNSKEY RDATA e.g.
begins with "BAABA". Normal keys begin with e.g. "AwEAA". OpenDNSSEC
will now sanitize incoming data before adding it to the DNSKEY. Do not
upgrade to this version if you are affected by the bug. You first need
to go unsigned, then do the upgrade, and finally sign your zone again.
SoftHSM and other HSM:s will not produce data with leading zeroes and
the bug will thus not affect you.

// Rickard

More information about the Opendnssec-develop mailing list