[Opendnssec-user] Auditor failing to verify signatures which appear to be ok

Dave Knight dave at knig.ht
Thu Mar 18 15:46:20 UTC 2010


On 2010-03-18, at 7:12 AM, Alexd at nominet.org.uk wrote:

> Hi Dave - 
> 
> > > ...it is signed just fine, but I get the following from the Auditor
> 
> I can sign and audit this zone just fine using OpenDNSSEC trunk. What version are you using?

1.0.0


> I'll check the signatures that you have sent in the signed zone, using something other than ldns (which was used to create them). 

I've loaded the zone in BIND 9.6.1-P1 and pointed a BIND 9.6.2 validator at it, it validates fine. I did a walkthrough and validated every rr in the zone... 

for rr in `cat in-addr-servers.arpa`
do
   oname=`echo $rr | awk '{print $1}'`
   type=`echo $rr | awk '{print $4}'`
   dig @localhost +noall +cmd +comment +dnssec $type $oname | egrep 'DiG|HEADER|\;\ flags'
   echo
done 

; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec SOA in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3595
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 25

; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec A A.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16017
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23

; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec AAAA A.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49727
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23

; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec A B.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33637
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23

; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec AAAA B.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45922
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23

; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec A C.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61538
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23

; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec AAAA C.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6186
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23

; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec A D.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51800
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23

; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec AAAA D.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38703
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23

; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec A E.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41539
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23

; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec AAAA E.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45561
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23

; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec A F.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64185
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23

; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec AAAA F.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26976
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23

; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec NS in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5214
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 25

; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec NS in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59338
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 25

; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec NS in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31865
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 25

; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec NS in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7652
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 25

; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec NS in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46122
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 25

; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec NS in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22643
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 25


I have to imagine that I am hitting a bug in the Auditor.

dave


More information about the Opendnssec-user mailing list