[Opendnssec-user] Auditor failing to verify signatures which appear to be ok
Matthijs Mekking
matthijs at NLnetLabs.nl
Mon Mar 29 09:44:20 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
However,
dnssec-bis-updates states:
[RFC4034] Section 6.2 item 3 has a list of resource record types for
which DNS names in the RDATA are downcased for purposes of DNSSEC
canonical form (for both ordering and signing). That list
erroneously contains NSEC and RRSIG. According to [RFC3755], DNS
names in the RDATA of NSEC and RRSIG should not be downcased.
Alex wrote:
> So, when dnsruby calculates the signature of an RRSet, it uses the
canonical form of the NSEC record.
While the sorter needed to canonicalize the RR, ldns does not need to
canonicalize the next owner name. So shouldn't dnsruby.
Matthijs
Alexd at nominet.org.uk wrote:
> Hi Dave -
>
> Sorry for the delay in replying.
>
>> ...it is signed just fine, but I get the following from the Auditor
>>
>> # bin/ods-auditor --zone in-addr-servers.arpa --signed var/
>> opendnssec/tmp/in-addr-servers.arpa.finalized
>> Auditor started
>> Auditor starting on in-addr-servers.arpa
>> 6: Auditing in-addr-servers.arpa zone : NSEC SIGNED
>> 3: RRSet (in-addr-servers.arpa, NSEC) failed verification :
>> Signature failed to cryptographically verify, tag = 12033
>> 3: RRSet (A.in-addr-servers.arpa, NSEC) failed verification :
>> Signature failed to cryptographically verify, tag = 12033
>> 3: RRSet (B.in-addr-servers.arpa, NSEC) failed verification :
>> Signature failed to cryptographically verify, tag = 12033
>> 3: RRSet (C.in-addr-servers.arpa, NSEC) failed verification :
>> Signature failed to cryptographically verify, tag = 12033
>> 3: RRSet (D.in-addr-servers.arpa, NSEC) failed verification :
>> Signature failed to cryptographically verify, tag = 12033
>> 3: RRSet (E.in-addr-servers.arpa, NSEC) failed verification :
>> Signature failed to cryptographically verify, tag = 12033
>> 6: Finished auditing in-addr-servers.arpa zone
>> Auditor found errors - check log for details
>>
>> So far as I can tell there is nothing actually wrong with the signatures
>
> I think that the NSEC signatures are in fact incorrect (all the other
> signatures are OK). If you look at the next_domain field in the rdata,
> you will see e.g. "C.in-addr-servers.arpa". The signature has been
> generated using this upper-case "C", in contravention of RFC4034 section
> 3.1.8.1:
>
> Any DNS names in the RDATA field of each RR MUST be in
> canonical form; and
>
> So, the auditor has checked the signature associated with these records,
> and found them incorrect as per RFC4034.
>
> I'm not sure why the signer has included upper-case characters in the
> signature calculation for the nsec rdata - if it's of any consolation,
> the current trunk does not do this on my machine... I think Matthijs may
> be looking into this.
>
> HTH,
>
>
> Alex.
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBAgAGBQJLsHZvAAoJEA8yVCPsQCW5OIgIAITi++NO4a/WcfV4EjAQtC2Y
31lMv+udKpsZDfY0C/dm3+9wXKgVoNQXdhB+bvAxyshAHZSmlz/Ob2SfjDlET3uS
DBJlulxuNNYERV8kzr8wu9lCCGxrG0Dl82C1oZ6YJKZKsTgeMKppNDcxgynH+QZj
HVs9dwMZKR0Frq8DQstvb36GuTyhrXqPmIbX/lMUN587ILgjX5eoYkQsiavPro1S
ovSQpiYDORhXi+O43VTwHrmnYRZQzxVWEiJ7wO4RmlHV2nWmFWLwesqukmGGZ2bm
1rP64HlNyz4NxrAOop/NFiNQTprF9SFcJ6yLVIPSSGbkXOi/9GDfmCT3hg5ytCE=
=6lhl
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list