[Opendnssec-user] Auditor failing to verify signatures which appear to be ok
Dave Knight
dave at knig.ht
Thu Mar 18 15:46:20 UTC 2010
On 2010-03-18, at 7:12 AM, Alexd at nominet.org.uk wrote:
> Hi Dave -
>
> > > ...it is signed just fine, but I get the following from the Auditor
>
> I can sign and audit this zone just fine using OpenDNSSEC trunk. What version are you using?
1.0.0
> I'll check the signatures that you have sent in the signed zone, using something other than ldns (which was used to create them).
I've loaded the zone in BIND 9.6.1-P1 and pointed a BIND 9.6.2 validator at it, it validates fine. I did a walkthrough and validated every rr in the zone...
for rr in `cat in-addr-servers.arpa`
do
oname=`echo $rr | awk '{print $1}'`
type=`echo $rr | awk '{print $4}'`
dig @localhost +noall +cmd +comment +dnssec $type $oname | egrep 'DiG|HEADER|\;\ flags'
echo
done
; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec SOA in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3595
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 25
; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec A A.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16017
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec AAAA A.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49727
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec A B.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33637
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec AAAA B.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45922
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec A C.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61538
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec AAAA C.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6186
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec A D.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51800
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec AAAA D.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38703
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec A E.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41539
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec AAAA E.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45561
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec A F.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64185
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec AAAA F.in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26976
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec NS in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5214
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 25
; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec NS in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59338
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 25
; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec NS in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31865
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 25
; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec NS in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7652
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 25
; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec NS in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46122
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 25
; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec NS in-addr-servers.arpa.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22643
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 25
I have to imagine that I am hitting a bug in the Auditor.
dave
More information about the Opendnssec-user
mailing list