[Opendnssec-user] Auditor failing to verify signatures which appear to be ok

Dave Knight dave at knig.ht
Thu Mar 18 06:47:08 UTC 2010


On 2010-03-18, at 2:23 AM, Dave Knight wrote:

> 
> I have a policy configured for zones to be signed with NSEC and SHA256, I am signing some zones with this, it works fine. 
> 
> I add this zone...
> 
> in-addr-servers.arpa.	86400	IN	SOA	A.in-addr-servers.arpa. NSTLD.IANA.ORG. 2010030200 14400 7200 1209600 86400
> A.in-addr-servers.arpa.	86400	IN	A	199.212.0.73
> A.in-addr-servers.arpa.	86400	IN	AAAA	2001:500:13::73
> B.in-addr-servers.arpa.	86400	IN	A	199.253.183.183
> B.in-addr-servers.arpa.	86400	IN	AAAA	2001:500:87::87
> C.in-addr-servers.arpa.	86400	IN	A	196.216.169.10
> C.in-addr-servers.arpa.	86400	IN	AAAA	2001:43f8:110::10
> D.in-addr-servers.arpa.	86400	IN	A	200.3.13.10
> D.in-addr-servers.arpa.	86400	IN	AAAA	2001:13c7:7002:3000::10
> E.in-addr-servers.arpa.	86400	IN	A	202.12.28.140
> E.in-addr-servers.arpa.	86400	IN	AAAA	2001:dc0:1:0:4777::140
> F.in-addr-servers.arpa.	86400	IN	A	193.0.0.196
> F.in-addr-servers.arpa.	86400	IN	AAAA	2001:610:240:0:53::4
> in-addr-servers.arpa.	86400	IN	NS	A.in-addr-servers.arpa.
> in-addr-servers.arpa.	86400	IN	NS	B.in-addr-servers.arpa.
> in-addr-servers.arpa.	86400	IN	NS	C.in-addr-servers.arpa.
> in-addr-servers.arpa.	86400	IN	NS	D.in-addr-servers.arpa.
> in-addr-servers.arpa.	86400	IN	NS	E.in-addr-servers.arpa.
> in-addr-servers.arpa.	86400	IN	NS	F.in-addr-servers.arpa.
> 
> ...it is signed just fine, but I get the following from the Auditor
> 
> # bin/ods-auditor --zone in-addr-servers.arpa --signed var/opendnssec/tmp/in-addr-servers.arpa.finalized 
> Auditor started
> Auditor starting on in-addr-servers.arpa
> 6: Auditing in-addr-servers.arpa zone : NSEC SIGNED
> 3: RRSet (in-addr-servers.arpa, NSEC) failed verification : Signature failed to cryptographically verify, tag = 12033
> 3: RRSet (A.in-addr-servers.arpa, NSEC) failed verification : Signature failed to cryptographically verify, tag = 12033
> 3: RRSet (B.in-addr-servers.arpa, NSEC) failed verification : Signature failed to cryptographically verify, tag = 12033
> 3: RRSet (C.in-addr-servers.arpa, NSEC) failed verification : Signature failed to cryptographically verify, tag = 12033
> 3: RRSet (D.in-addr-servers.arpa, NSEC) failed verification : Signature failed to cryptographically verify, tag = 12033
> 3: RRSet (E.in-addr-servers.arpa, NSEC) failed verification : Signature failed to cryptographically verify, tag = 12033
> 6: Finished auditing in-addr-servers.arpa zone
> Auditor found errors - check log for details

I guess the actual signed zone might be useful too... 

; Signed on 2010-03-18 06:25:09
in-addr-servers.arpa.	3600	IN	SOA	A.in-addr-servers.arpa. NSTLD.IANA.ORG. 2010030200 14400 7200 1209600 3600
in-addr-servers.arpa.	86400	IN	NS	A.in-addr-servers.arpa.
in-addr-servers.arpa.	86400	IN	NS	B.in-addr-servers.arpa.
in-addr-servers.arpa.	86400	IN	NS	C.in-addr-servers.arpa.
in-addr-servers.arpa.	86400	IN	NS	D.in-addr-servers.arpa.
in-addr-servers.arpa.	86400	IN	NS	E.in-addr-servers.arpa.
in-addr-servers.arpa.	86400	IN	NS	F.in-addr-servers.arpa.
in-addr-servers.arpa.	86400	IN	RRSIG	NS 8 2 86400 20100325135719 20100318052509 12033 in-addr-servers.arpa. Iux3rnwneP6/sp7LYx/ZR2zRtfO48/XeLqH7EcPL+1OSWi4EVpK+oq8FABQLPsEhFOTWOdDgT9l8aG/7VIEORdFQQ80AA3dSVwpH4RlxNSRH29EcXzAv3W2/9YaQgcPYIBoDjdfTfbMYieCd6VQFDoYgbwYdm1wgAqq1MRxCaeg= ;{id = 12033}
in-addr-servers.arpa.	3600	IN	RRSIG	SOA 8 2 3600 20100325063016 20100318052509 12033 in-addr-servers.arpa. ldpBmPT4hab5jNh2jplgt8YEDYDbqhaQMm+cIYkqZ2ackdBIBqzuEJGydzpNPS6qlruT87GzOc68uXaCun8klxEULexfKgr0cQuEBPSMa5SY+OkvMNBkus1jsSPl/Pkf1N41Bwy7iiLegZ1qkgv4rqe/COV5k5NJWO3LMFtBAFY= ;{id = 12033}
in-addr-servers.arpa.	3600	IN	DNSKEY	256 3 8 AwEAAcoEdjN6PM57REYLqLCBNfjCbQQU8pSNOz/kRwP75YQzidnaQpCO4+rjOYSAPH5lAjtT+AxuUB33DkOhQHPDSO87JLt1pm65eNNsz10COEExfuokM98qiURN76kv3N1n/gRG2693tpkmVdvSTRCbReyq6BlzKuYABGLD3V3MUB4j ;{id = 12033 (zsk), size = 1024b}
in-addr-servers.arpa.	3600	IN	DNSKEY	257 3 8 AwEAAaf95qReb780qmQNvQj6LXJPbMxqa+xOp4/lheES6cBbwWl0lnAt7ygiCrzdlI0aZO6twYogU/4PppLk8VOZzN4oav/ftgkkiJxpizsrRn4H/raRyEHeoTwDaoz2rk5mlTpdsmg715mJi3v24vzbze9sQcTvBWjt2GhlFkqJ9CZgezI3X/keuRNCk5IaTgkLl/4pyqXlAAJnoEOnkBOyiXsFJF0DijLuNvlgKxHr71VD9bAVVT789iuIOPGZUF5hVC9ZDKqY3jtSKL30IkSc/MXRLYfyV0qtNO2l16aQsGRZRsZyY75QN3IxSxd7LZ6Wg66uWTgXfiBSwgH1v/lF8Ss= ;{id = 18166 (ksk), size = 2048b}
in-addr-servers.arpa.	3600	IN	RRSIG	DNSKEY 8 2 3600 20100325082714 20100318052509 18166 in-addr-servers.arpa. Fn3+4AuPVvZ0YSJfPLqrEEpSF7LiAxBz0IRKqxz+ndsHnW9kBTFMQMDonXJz+v2XOEDhJ+rnNCgw0TaarpUbn3l6Axkgkvn4iQ90RxXuXHisv0Cz/1CMnfTe/cjBnQm3LfivhDpXNBP960Csvw6hbKUtge/vMYXKhJrsL/5GQjHfNYqv5Tz4aClg6qfuf9Horj37JPe75Fxon52bmkq2kNzu0vTNbE87mAfiSvyNQ8tlvqy9WkwSjlqErGMMYoaGau1R0zCdkSQqB0b3g79nQgAV255GLsgXCW5XLWFl7G3CUUraY48/9CfEyRsv8AHvor8XnfryzGfQhopKhmmH/w== ;{id = 18166}
in-addr-servers.arpa.	3600	IN	NSEC	A.in-addr-servers.arpa. NS SOA RRSIG NSEC DNSKEY 
in-addr-servers.arpa.	3600	IN	RRSIG	NSEC 8 2 3600 20100325092647 20100318052509 12033 in-addr-servers.arpa. gy601omxi1hzA4VoM5/RkZk1a41lOUXO/fQdti9agswtNO3Yrsj3gKumJFQqkIjZ034KV2IKUovTor/b0Ykdys/d3oVkfuibexyIiqKnTjpq47pc5FbJxHsUI+GrEem2IwaVmbwbsyzM0NhmnS46FzXXdM+WmYItdpaMDXxiuVo= ;{id = 12033}
A.in-addr-servers.arpa.	86400	IN	A	199.212.0.73
a.in-addr-servers.arpa.	86400	IN	RRSIG	A 8 3 86400 20100325142223 20100318052509 12033 in-addr-servers.arpa. B4beAtbuBzPGDl1HQr/qEID8ecd6NnKzhy/sImbcUjGGNe21tN/UHNWYxYCHUvaFP+ehj2pSUyQioP4dElde4QLANnLX4zvONZMLJgXdnstm1EAjGTfxPAhj5BM9HC3BhQQdFWKjiCZVM0SkHIvoYUzT+BwzhJ5Y02krKbEjNiU= ;{id = 12033}
A.in-addr-servers.arpa.	86400	IN	AAAA	2001:500:13::73
a.in-addr-servers.arpa.	86400	IN	RRSIG	AAAA 8 3 86400 20100325132017 20100318052509 12033 in-addr-servers.arpa. GZT2D07/v1PUWvNVjH0byhVhiO+SVmJ0tYGKD0AWyVgfG+ML+OqV6snoeXvjtQ5sPBR0OoUKF//Nd6n8huoNTd3UtAESqn9RXgVu7tlDesOVx+ux+QcnM8CbH9CpSHxyLFZjD1UglQCBLOpb7qVExb9tb4qTyLEOCBWeZJ0xaXc= ;{id = 12033}
A.in-addr-servers.arpa.	3600	IN	NSEC	B.in-addr-servers.arpa. A AAAA RRSIG NSEC 
a.in-addr-servers.arpa.	3600	IN	RRSIG	NSEC 8 3 3600 20100325135400 20100318052509 12033 in-addr-servers.arpa. NlADvttd0P7nt1/r9d5eji1SJge6/58EBeuma7yfKdtRj3pJpVKEj0Tx5tgZ/2fu87ideKUliyfjvz03Cwkt4QRuAtuGIVLdKZmImkDethhVWyYRcffPmy+WLuUqS6p4AaGkpsrhdD4SkSfba0j4M/S6mINFgL+m0/tSRr2OojQ= ;{id = 12033}
B.in-addr-servers.arpa.	86400	IN	A	199.253.183.183
b.in-addr-servers.arpa.	86400	IN	RRSIG	A 8 3 86400 20100325071623 20100318052509 12033 in-addr-servers.arpa. KN+yNhTsfxEkGwzNLKPnnB95EhhCCAPAhjYxU7oUv3xoytK5ctrlCRbCHUhhphM+sOyibI5ubl1ccyJFSX4RUPBtoxLk3LJD21nsF7uy68ZedtoArJuFG/OBkXW649gqF060l3H8M9N/EC4XR6CKOIZKRYl635cSjt9PL8iAPQY= ;{id = 12033}
B.in-addr-servers.arpa.	86400	IN	AAAA	2001:500:87::87
b.in-addr-servers.arpa.	86400	IN	RRSIG	AAAA 8 3 86400 20100325115141 20100318052509 12033 in-addr-servers.arpa. YLT5dcoMxNCvXp+Yi82dYMJuZ25jwVFQaDao/iRyzAH3tl4RKMEyw+NLkKCJmp3qRFxhVIeU035VeH4MgMjI49DnYEMzk0BsmTN9aW8LOHUON/I4G7mk5Y+tIArlP3i4ffYbYZenOItMuqpAfdVMDbFeC++z447xMdq2wKNJXAk= ;{id = 12033}
B.in-addr-servers.arpa.	3600	IN	NSEC	C.in-addr-servers.arpa. A AAAA RRSIG NSEC 
b.in-addr-servers.arpa.	3600	IN	RRSIG	NSEC 8 3 3600 20100325113758 20100318052509 12033 in-addr-servers.arpa. uy5aUIhq3eKc24gcoyBoLYaR6kKtG957zpR0G2pf1XPCO2ESzwdIkXK0/XeUkRMmPRnKfGOhwNYIBK26kX3PYxaIPsDZVc5ZAC3uc/+EpCosMn3FJQQDiNx/gznEQZk0JRxTUMMMucCNW2HVU18NVtTQhT0MaAsLyG8OduWuMCI= ;{id = 12033}
C.in-addr-servers.arpa.	86400	IN	A	196.216.169.10
c.in-addr-servers.arpa.	86400	IN	RRSIG	A 8 3 86400 20100325124733 20100318052509 12033 in-addr-servers.arpa. p+xb7kqkDSNmRCo5NyscLbi5E+toYdg52EY7HiIA8Bo+sC4cw5wVdgE4ietYBlWdq8bgrACdFGAqsS0eevNUKMyXuy9MQCDHK5rjc0oAt4jhLnrbPNFloBBrGJ72a8VLMnwRDPkV3guRsPmjZ8sTaEWGrNtKXR3hnxNaTGWQgRU= ;{id = 12033}
C.in-addr-servers.arpa.	86400	IN	AAAA	2001:43f8:110::10
c.in-addr-servers.arpa.	86400	IN	RRSIG	AAAA 8 3 86400 20100325073915 20100318052509 12033 in-addr-servers.arpa. p0Tt9YyMMsLxFaaXhEq8zsdOuHsmXvW7VOKxFIxHGWDXjHoB4A4vBYiAiifpjHaHGAScoV8/m7ZzijdiI3ZNnLHgNsjbcbnSODRFCWd30QDTS2YzPYNe7Raw/sLPoCRAG6iW7xBBKxXm0Bw8SXDh4SLjWe8LAm8/cyZX3wXm3xk= ;{id = 12033}
C.in-addr-servers.arpa.	3600	IN	NSEC	D.in-addr-servers.arpa. A AAAA RRSIG NSEC 
c.in-addr-servers.arpa.	3600	IN	RRSIG	NSEC 8 3 3600 20100325141402 20100318052509 12033 in-addr-servers.arpa. cbHylssg830Z0MbGTN4ErdZjG7A8fZj+VcaaWj03d1zTzn0MkZb6OYe88YZLR3rd2qhUN17YECQ3bQsVOgsmr5SqJ8aIpDLdnUD/Hri5jLfA+FRJSOP4VBBH2taVqpEnGIn6ejfk5EPXspyJexINMqTFoGGr+M/ivgajaLuVGpQ= ;{id = 12033}
D.in-addr-servers.arpa.	86400	IN	A	200.3.13.10
d.in-addr-servers.arpa.	86400	IN	RRSIG	A 8 3 86400 20100325100855 20100318052509 12033 in-addr-servers.arpa. r3ObQtxmQHSsGXzA/OHXHyyyP0jHT99cPrHFEL0V1f91y043kzaVt7Rt8/QfrxqFCma4w8HGOLdphr7iJhNbuIz0ryoEELRazoRGHA80jT8UCfGiA6STLoZprrn6PNzTlDDywWu3Udp9ROgwLC0kLMbF9dfu3T/IlVaGlOw0bEE= ;{id = 12033}
D.in-addr-servers.arpa.	86400	IN	AAAA	2001:13c7:7002:3000::10
d.in-addr-servers.arpa.	86400	IN	RRSIG	AAAA 8 3 86400 20100325154648 20100318052509 12033 in-addr-servers.arpa. OIEHPaE7ukLEClwdoofQ/jOvL5BghPBkHTDtrnDeqHj2G8rR8/Shkqaf06wt37gWAdWHISzbnUO+13d74Yg7Wgr1YYDpB057uRX7JKcZwszTFEQnIc4reagcvXbrC0lYvENSbennS02DqK2k78O8lWYKEP1Row/069hKc6yt33k= ;{id = 12033}
D.in-addr-servers.arpa.	3600	IN	NSEC	E.in-addr-servers.arpa. A AAAA RRSIG NSEC 
d.in-addr-servers.arpa.	3600	IN	RRSIG	NSEC 8 3 3600 20100325150853 20100318052509 12033 in-addr-servers.arpa. V7GOz1tywjSsBqhSNr7jb4Z/0y7ei1ywL6XAjXmRn4eZ3enTjoeOHOhD3F0GKLpPobmxY63PgaQr+tC/LGQRiRS7z7tOPYOjd+Zt8fK3jKNPsxw/u/m8E323aL8wqzowgVlgWxFL+2WEJGIZWD7UF5XAaceIYguVHc6p/27b44Q= ;{id = 12033}
E.in-addr-servers.arpa.	86400	IN	A	202.12.28.140
e.in-addr-servers.arpa.	86400	IN	RRSIG	A 8 3 86400 20100325101329 20100318052509 12033 in-addr-servers.arpa. VsgJc0tCso+PMBRszb1OmDe/OZaPb3lRhlvW/HkhMHf8HIvj1nbRSG0zR9GtSldj3p9dcTOBH6ZX+aueHgfC5qe10c3tUVuiDU7+THkafaF5KqfTHKlqyWl8wQyeazQAp/ttbf2eF1GCMsNOenZVlmSW6hbMoUb6mr6CaUnH7LE= ;{id = 12033}
E.in-addr-servers.arpa.	86400	IN	AAAA	2001:dc0:1:0:4777::140
e.in-addr-servers.arpa.	86400	IN	RRSIG	AAAA 8 3 86400 20100325063428 20100318052509 12033 in-addr-servers.arpa. pZtPJgsun+OdaZGRSnZ/aQfUEWnHd6+oqxvOaxMfyljQZfgJttEF51vM5ph9bgQIHW77QmHQ6hXLup0jEht+FS2CTJ7PSC4bP1OwNA2cCDZI6hqZw4+473id/Ktl7HLSEXsAq0VfjdxmYnFKRoEBOicc73EE0e9Ifogmw7eHVGo= ;{id = 12033}
E.in-addr-servers.arpa.	3600	IN	NSEC	F.in-addr-servers.arpa. A AAAA RRSIG NSEC 
e.in-addr-servers.arpa.	3600	IN	RRSIG	NSEC 8 3 3600 20100325092628 20100318052509 12033 in-addr-servers.arpa. se8AGHifEdxgGgk89c7b+ev1DQhj4ZU/oY/FVxJAS8VmLAkGHE6abAmqAAopXpqyMaEW4c74oPobO27rf+LhZ1ArlY5cVaC3aHi5AzPhuBWpviy5yRx7nm/fbnWHvv4Zh94Va80uitl8IyZadSQGCiTxmAR8GpaU0F+rnIDY/a4= ;{id = 12033}
F.in-addr-servers.arpa.	86400	IN	A	193.0.0.196
f.in-addr-servers.arpa.	86400	IN	RRSIG	A 8 3 86400 20100325131522 20100318052509 12033 in-addr-servers.arpa. fOjbRE0vzyuX96173IPm/bTXd6GplY5CPH8aLJNxOjvBId+SiKO3rKIqrC+7oFjV/A/qP8xFsXpUJkrRFZUoxWlnANJlDJs32vcKBrqHW3uOrN4UJRkd4UaLFcC4bmJkEKDq8IqPqsHlhaJka39V7DXWqYVFlRBTpkRoEadesmQ= ;{id = 12033}
F.in-addr-servers.arpa.	86400	IN	AAAA	2001:610:240:0:53::4
f.in-addr-servers.arpa.	86400	IN	RRSIG	AAAA 8 3 86400 20100325123744 20100318052509 12033 in-addr-servers.arpa. rbIPju4Gwh6UT3V5o7QSeyjpSmJrsdcLgqogFqGVovkJX4KhRP1XcTSJHQmrG3WApoS/av35lZlioT3LzUHk1GfpAoifkAgLXh+t68qbAqytbp69EZB7d5ibk+fxAFQzfmov9MRAtaf1MkiNNPHBR1WSPCrFvC3+6UuFYY3VThE= ;{id = 12033}
F.in-addr-servers.arpa.	3600	IN	NSEC	in-addr-servers.arpa. A AAAA RRSIG NSEC 
f.in-addr-servers.arpa.	3600	IN	RRSIG	NSEC 8 3 3600 20100325150211 20100318052509 12033 in-addr-servers.arpa. QooinmZM1h/eDyKBvK/dTB4OS4OPBmwibnXso3SBK5d5YPKwevjdrHlK0EvAynJ3l2SVqYFAwnAXIzMyCJJ3R8kODA2b5r7VqAUepQXC3WzkdxPL9Shwhvg4fpncrSmmLDBuxtSrIa46SPusbeVbZojKeo9x/pZk/Zf+fnb++5A= ;{id = 12033}
; Last refresh stats: existing: 0, removed 0, created 21




More information about the Opendnssec-user mailing list