[Opendnssec-user] 1.0.0rc1 nsec3 signing bug, or some sort of newbie mistake

Alexd at nominet.org.uk Alexd at nominet.org.uk
Tue Dec 8 08:57:29 UTC 2009


Hi Dan - 

> I've set up opendnssec 1.0.0rc1 and softhsm 1.1.1 on an RHEL5 x64 
system, 
> and added an initial zone.

Can I ask if you have updated ldns to 1.6.3? This looks like the bug which 
was fixed between version 1.6.2 and 1.6.3 (NSEC3 bitmaps). [The NSEC3 
record in the zone below incorrectly includes NSEC in the bitmap]

> The zone is signed by the signer, but a bunch of strange records are
> added

These are the NSEC3 records. If you do not need to prevent zone walking, 
and your zone is not so large that opt-out is a requirement, then you are 
just as well served by NSEC (which does not require the "strange records" 
in the signed zone).

Thanks,


Alex.

> 
> The zone is signed by the signer, but a bunch of strange records are
> added, and the auditor correctly prevents it from being published (go,
> auditor).  It appears some encoded data from a signature or key is
> being used instead of the rrset name for the NSEC3 record & sig.
> 
> Here's the beginning of my zone file (full signed & unsigned files 
attached).
> 
> 
> 
> 
>    ucaid.edu.      3600    IN      SOA     dns2.internet2.edu. 
> hostmaster.internet2.edu. 2009120700 7200 3600 604800 3600
>    f.ucaid.edu.    21600   IN      A       127.0.1.1
>    f.ucaid.edu.    21600   IN      RRSIG   A 7 3 21600 
> 20091215093248 20091207210305 36795 ucaid.edu. 
> MLA8Zp8A8BxtsH4D5IbyItZfeGiAbe1rHVOOC/
> kSYdkoaEE6VDRheUBjnUx3NfpwwMhKNvzEGYAMz4DK8vwjItawc4mElKyPNFbaY
> +YkLpMBesH2ByzaNUBFVQPZgIckEt6KE3QGpNSoCbW9VPIX7HPaLkozOb09NNQepONFr/
> I= ;{id = 36795}
>    0h3cgtfk2gtfveu2ov029uf9q204utvo.ucaid.edu.     3600    IN 
> NSEC3   1 0 5 47be864fd7bacede  1hdjlgnsii3s0mcsb3b1f49nqfvc9lgf A RRSIG 
NSEC
>    0h3cgtfk2gtfveu2ov029uf9q204utvo.ucaid.edu.     3600    IN 
> RRSIG   NSEC3 7 3 3600 20091215083751 20091207210305 36795 
> ucaid.edu. Yarwa5Uw0vxzHZ9hsdgNbsG
> +kDievhev1APkYJ1KujwNqBMKZzWEWeWo9B/b4VqaxEwCNPxBg8+MOWHv3FfI
> +f94cJzytOtSLPCTiziMi4ge8m9QKhWTFzokI5l3z6t
> +N3SbnHdlWumUsfrHfAcWSvJ6GtpxbLrwx6e3QMiAYsU= ;{id = 36795}
>    tsgdev0-29.ucaid.edu.   21600   IN      A       207.75.164.29
> 
> in case it's not obvious, 0h3cgtfk2gtfveu2ov029uf9q204utvo.ucaid.edu
> occurs nowhwere in the input :)
> 
> 
> MOre configuration details as necessary.
> 
> thanks
> 
> danno
> --
> Dan Pritts, Sr. Systems Engineer
> Internet2
> office: +1-734-352-4953 | mobile: +1-734-834-7224
> 
> Winter 2010 ESCC/Internet2 Joint Techs
> Hosted by the University of Utah - Salt Lake City, UT
> January 31 - February 4, 2010
> http://events.internet2.edu/2010/jt-slc/
> [attachment "unsigned.zone" deleted by Alex Dalitz/Nominet] 
> [attachment "finalized.zone" deleted by Alex Dalitz/Nominet] 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20091208/0a815dc1/attachment.htm>


More information about the Opendnssec-user mailing list