[Opendnssec-user] Auditor failing to verify signatures which appear to be ok
Matthijs Mekking
matthijs at NLnetLabs.nl
Fri Mar 26 17:14:56 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I actually encountered the bug as well. I have been testing it before
with trunk, which does not seem to have the problem (as Alex mentioned
earlier).
It is indeed a bug in 1.0.0, independent of the system (my apologies for
blaming macosx ;)).
Note that ldns-verify-zone just checks the signature values compared to
the data and though quite useful, it is not a 100% guarantee of the zone
being absolutely correct. It is just an example tool. (Though we can
improve the examples).
Note that BIND validates the queries, because the signatures over the
data are correct, but it would probably fail if you trigger a NXDOMAIN.
I submitted a fix in the 1.0 branch.
Best regards,
Matthijs
Dave Knight wrote:
> On 2010-03-18, at 7:12 AM, Alexd at nominet.org.uk wrote:
>
>> Hi Dave -
>>
>>>> ...it is signed just fine, but I get the following from the Auditor
>> I can sign and audit this zone just fine using OpenDNSSEC trunk. What version are you using?
>
> 1.0.0
>
>
>> I'll check the signatures that you have sent in the signed zone, using something other than ldns (which was used to create them).
>
> I've loaded the zone in BIND 9.6.1-P1 and pointed a BIND 9.6.2 validator at it, it validates fine. I did a walkthrough and validated every rr in the zone...
>
> for rr in `cat in-addr-servers.arpa`
> do
> oname=`echo $rr | awk '{print $1}'`
> type=`echo $rr | awk '{print $4}'`
> dig @localhost +noall +cmd +comment +dnssec $type $oname | egrep 'DiG|HEADER|\;\ flags'
> echo
> done
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec SOA in-addr-servers.arpa.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3595
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 25
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec A A.in-addr-servers.arpa.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16017
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec AAAA A.in-addr-servers.arpa.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49727
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec A B.in-addr-servers.arpa.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33637
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec AAAA B.in-addr-servers.arpa.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45922
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec A C.in-addr-servers.arpa.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61538
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec AAAA C.in-addr-servers.arpa.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6186
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec A D.in-addr-servers.arpa.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51800
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec AAAA D.in-addr-servers.arpa.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38703
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec A E.in-addr-servers.arpa.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41539
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec AAAA E.in-addr-servers.arpa.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45561
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec A F.in-addr-servers.arpa.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64185
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec AAAA F.in-addr-servers.arpa.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26976
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 23
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec NS in-addr-servers.arpa.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5214
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 25
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec NS in-addr-servers.arpa.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59338
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 25
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec NS in-addr-servers.arpa.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31865
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 25
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec NS in-addr-servers.arpa.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7652
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 25
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec NS in-addr-servers.arpa.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46122
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 25
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @localhost +noall +cmd +comment +dnssec NS in-addr-servers.arpa.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22643
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 25
>
>
> I have to imagine that I am hitting a bug in the Auditor.
>
> dave_______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBAgAGBQJLrOuOAAoJEA8yVCPsQCW5BYkIAIE5wy4Uv57jxMJaX5MZczZl
mQNbdGAoLBIsewE09ABj3hm2wn/1XwCd/le+RqgME+8NA9h/C+OJGJ7STX7eV1y7
yR1BWunUcZuvAhrjXxsCMZ9ZOMzQaEm6y0W0hgMmFHpWawm0Bev6T+59o0jmSqhh
wrgedi/xpYO3fFH/47zjgZ1MJwKfrIZGYvAkj8fvpTTqHuZikAojTXs7ZNgmhX5W
s6Ytd19G4dKpTHddEXMy2w30w8Lh1PRo9C379bEmnJBYLXzRGRNyBpAY0ChxVobw
ACzg9uNb3WTDGOSXbpR56n0wT4hRlgZ23f1/SjkopPX+kWiX2OErHgdpywo+I5M=
=4N5B
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list