[Opendnssec-user] Auditor failing to verify signatures which appear to be ok

Dave Knight dave.knight at icann.org
Thu Mar 18 06:20:35 UTC 2010


I have a policy configured for zones to be signed with NSEC and SHA256, I am signing some zones with this, it works fine. 

I add this zone...

in-addr-servers.arpa.	86400	IN	SOA	A.in-addr-servers.arpa. NSTLD.IANA.ORG. 2010030200 14400 7200 1209600 86400
A.in-addr-servers.arpa.	86400	IN	A	199.212.0.73
A.in-addr-servers.arpa.	86400	IN	AAAA	2001:500:13::73
B.in-addr-servers.arpa.	86400	IN	A	199.253.183.183
B.in-addr-servers.arpa.	86400	IN	AAAA	2001:500:87::87
C.in-addr-servers.arpa.	86400	IN	A	196.216.169.10
C.in-addr-servers.arpa.	86400	IN	AAAA	2001:43f8:110::10
D.in-addr-servers.arpa.	86400	IN	A	200.3.13.10
D.in-addr-servers.arpa.	86400	IN	AAAA	2001:13c7:7002:3000::10
E.in-addr-servers.arpa.	86400	IN	A	202.12.28.140
E.in-addr-servers.arpa.	86400	IN	AAAA	2001:dc0:1:0:4777::140
F.in-addr-servers.arpa.	86400	IN	A	193.0.0.196
F.in-addr-servers.arpa.	86400	IN	AAAA	2001:610:240:0:53::4
in-addr-servers.arpa.	86400	IN	NS	A.in-addr-servers.arpa.
in-addr-servers.arpa.	86400	IN	NS	B.in-addr-servers.arpa.
in-addr-servers.arpa.	86400	IN	NS	C.in-addr-servers.arpa.
in-addr-servers.arpa.	86400	IN	NS	D.in-addr-servers.arpa.
in-addr-servers.arpa.	86400	IN	NS	E.in-addr-servers.arpa.
in-addr-servers.arpa.	86400	IN	NS	F.in-addr-servers.arpa.

...it is signed just fine, but I get the following from the Auditor

# bin/ods-auditor --zone in-addr-servers.arpa --signed var/opendnssec/tmp/in-addr-servers.arpa.finalized 
Auditor started
Auditor starting on in-addr-servers.arpa
6: Auditing in-addr-servers.arpa zone : NSEC SIGNED
3: RRSet (in-addr-servers.arpa, NSEC) failed verification : Signature failed to cryptographically verify, tag = 12033
3: RRSet (A.in-addr-servers.arpa, NSEC) failed verification : Signature failed to cryptographically verify, tag = 12033
3: RRSet (B.in-addr-servers.arpa, NSEC) failed verification : Signature failed to cryptographically verify, tag = 12033
3: RRSet (C.in-addr-servers.arpa, NSEC) failed verification : Signature failed to cryptographically verify, tag = 12033
3: RRSet (D.in-addr-servers.arpa, NSEC) failed verification : Signature failed to cryptographically verify, tag = 12033
3: RRSet (E.in-addr-servers.arpa, NSEC) failed verification : Signature failed to cryptographically verify, tag = 12033
6: Finished auditing in-addr-servers.arpa zone
Auditor found errors - check log for details

So far as I can tell there is nothing actually wrong with the signatures

# src/ldns-1.6.4/examples/ldns-verify-zone var/opendnssec/tmp/in-addr-servers.arpa.finalized 
Checking: in-addr-servers.arpa.
Checking: A.in-addr-servers.arpa.
Checking: B.in-addr-servers.arpa.
Checking: C.in-addr-servers.arpa.
Checking: D.in-addr-servers.arpa.
Checking: E.in-addr-servers.arpa.
Checking: F.in-addr-servers.arpa.
Zone is verified and complete

I am not sure what's different about this zone, compared to the others being signed under this policy which the auditor has no problem with.

Any clues ?

Thanks!
dave


More information about the Opendnssec-user mailing list