[Opendnssec-user] Auditor failing to verify signatures which appear to be ok
Alexd at nominet.org.uk
Alexd at nominet.org.uk
Fri Mar 26 11:54:56 UTC 2010
Hi Dave -
Sorry for the delay in replying.
> ...it is signed just fine, but I get the following from the Auditor
>
> # bin/ods-auditor --zone in-addr-servers.arpa --signed var/
> opendnssec/tmp/in-addr-servers.arpa.finalized
> Auditor started
> Auditor starting on in-addr-servers.arpa
> 6: Auditing in-addr-servers.arpa zone : NSEC SIGNED
> 3: RRSet (in-addr-servers.arpa, NSEC) failed verification :
> Signature failed to cryptographically verify, tag = 12033
> 3: RRSet (A.in-addr-servers.arpa, NSEC) failed verification :
> Signature failed to cryptographically verify, tag = 12033
> 3: RRSet (B.in-addr-servers.arpa, NSEC) failed verification :
> Signature failed to cryptographically verify, tag = 12033
> 3: RRSet (C.in-addr-servers.arpa, NSEC) failed verification :
> Signature failed to cryptographically verify, tag = 12033
> 3: RRSet (D.in-addr-servers.arpa, NSEC) failed verification :
> Signature failed to cryptographically verify, tag = 12033
> 3: RRSet (E.in-addr-servers.arpa, NSEC) failed verification :
> Signature failed to cryptographically verify, tag = 12033
> 6: Finished auditing in-addr-servers.arpa zone
> Auditor found errors - check log for details
>
> So far as I can tell there is nothing actually wrong with the signatures
I think that the NSEC signatures are in fact incorrect (all the other
signatures are OK). If you look at the next_domain field in the rdata, you
will see e.g. "C.in-addr-servers.arpa". The signature has been generated
using this upper-case "C", in contravention of RFC4034 section 3.1.8.1:
Any DNS names in the RDATA field of each RR MUST be in
canonical form; and
So, the auditor has checked the signature associated with these records,
and found them incorrect as per RFC4034.
I'm not sure why the signer has included upper-case characters in the
signature calculation for the nsec rdata - if it's of any consolation, the
current trunk does not do this on my machine... I think Matthijs may be
looking into this.
HTH,
Alex.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20100326/16dec881/attachment.htm>
More information about the Opendnssec-user
mailing list