[Opendnssec-user] Auditor failing to verify signatures which appear to be ok
Dave Knight
dave.knight at icann.org
Thu Mar 18 06:20:35 UTC 2010
I have a policy configured for zones to be signed with NSEC and SHA256, I am signing some zones with this, it works fine.
I add this zone...
in-addr-servers.arpa. 86400 IN SOA A.in-addr-servers.arpa. NSTLD.IANA.ORG. 2010030200 14400 7200 1209600 86400
A.in-addr-servers.arpa. 86400 IN A 199.212.0.73
A.in-addr-servers.arpa. 86400 IN AAAA 2001:500:13::73
B.in-addr-servers.arpa. 86400 IN A 199.253.183.183
B.in-addr-servers.arpa. 86400 IN AAAA 2001:500:87::87
C.in-addr-servers.arpa. 86400 IN A 196.216.169.10
C.in-addr-servers.arpa. 86400 IN AAAA 2001:43f8:110::10
D.in-addr-servers.arpa. 86400 IN A 200.3.13.10
D.in-addr-servers.arpa. 86400 IN AAAA 2001:13c7:7002:3000::10
E.in-addr-servers.arpa. 86400 IN A 202.12.28.140
E.in-addr-servers.arpa. 86400 IN AAAA 2001:dc0:1:0:4777::140
F.in-addr-servers.arpa. 86400 IN A 193.0.0.196
F.in-addr-servers.arpa. 86400 IN AAAA 2001:610:240:0:53::4
in-addr-servers.arpa. 86400 IN NS A.in-addr-servers.arpa.
in-addr-servers.arpa. 86400 IN NS B.in-addr-servers.arpa.
in-addr-servers.arpa. 86400 IN NS C.in-addr-servers.arpa.
in-addr-servers.arpa. 86400 IN NS D.in-addr-servers.arpa.
in-addr-servers.arpa. 86400 IN NS E.in-addr-servers.arpa.
in-addr-servers.arpa. 86400 IN NS F.in-addr-servers.arpa.
...it is signed just fine, but I get the following from the Auditor
# bin/ods-auditor --zone in-addr-servers.arpa --signed var/opendnssec/tmp/in-addr-servers.arpa.finalized
Auditor started
Auditor starting on in-addr-servers.arpa
6: Auditing in-addr-servers.arpa zone : NSEC SIGNED
3: RRSet (in-addr-servers.arpa, NSEC) failed verification : Signature failed to cryptographically verify, tag = 12033
3: RRSet (A.in-addr-servers.arpa, NSEC) failed verification : Signature failed to cryptographically verify, tag = 12033
3: RRSet (B.in-addr-servers.arpa, NSEC) failed verification : Signature failed to cryptographically verify, tag = 12033
3: RRSet (C.in-addr-servers.arpa, NSEC) failed verification : Signature failed to cryptographically verify, tag = 12033
3: RRSet (D.in-addr-servers.arpa, NSEC) failed verification : Signature failed to cryptographically verify, tag = 12033
3: RRSet (E.in-addr-servers.arpa, NSEC) failed verification : Signature failed to cryptographically verify, tag = 12033
6: Finished auditing in-addr-servers.arpa zone
Auditor found errors - check log for details
So far as I can tell there is nothing actually wrong with the signatures
# src/ldns-1.6.4/examples/ldns-verify-zone var/opendnssec/tmp/in-addr-servers.arpa.finalized
Checking: in-addr-servers.arpa.
Checking: A.in-addr-servers.arpa.
Checking: B.in-addr-servers.arpa.
Checking: C.in-addr-servers.arpa.
Checking: D.in-addr-servers.arpa.
Checking: E.in-addr-servers.arpa.
Checking: F.in-addr-servers.arpa.
Zone is verified and complete
I am not sure what's different about this zone, compared to the others being signed under this policy which the auditor has no problem with.
Any clues ?
Thanks!
dave
More information about the Opendnssec-user
mailing list