[Opendnssec-user] Problems when a change in delegation cause A RRs to become glue RRs

Matthijs Mekking matthijs at nlnetlabs.nl
Wed Jun 20 11:59:47 UTC 2012

Hash: SHA1

Hi Göran,

You are right. Thanks for your detailed report. I have created an
issue for this in our tracker:


I have a fix for this in the 1.3 branch, r6448. It also happens in
1.4.0a2, a fix is in trunk as well.

Best regards,

On 06/15/2012 07:43 AM, Göran Bengtson wrote:
> I noticed what I believe is a problem with OpenDNSSEC when a change
> in delegation of subdomains cause normal A-RRs to become glue
> A-RRs. (Running the 1.3-branch, rev. 6352 on a RHEL 5.8 32bit
> system).
> Before the delegation is changed, the A-RRs should be (and are) 
> signed, but when the A-RRs becomes glue they should not.
> I recreated the problem in a test zone. I've saved the unsigned and
> signed zone-files for the different phases in the test case and can
> send them if so requested (or open a case if that is preferred).
> I don't know exactly when the RRSIG for the A-RRs in question (that
> transitioned from normal A-RRs to glue RRs) should be removed, but
> I assume it should be done immediately after the change.
> In any case, ODS seems to:
> 1    Keep the signatures after the change. 2    Not process them
> (e.g. update them if they should be recalculated). 3    Cause NSEC3
> issues.
> In my case (the "live one", not the test) the (partial) auditor
> complained Jun 13 19:16:39 ns-test ods-auditor[17437]: chalmers.se
> : Signature expiration (1339853028) for green.net.chalmers.se., A
> should be later than (the refresh period (259200) - the resign
> period (3600)) from now (1339607799)
> I think this is because the signature was to be recalculated at the
> next run, but then the delegation was changed so the A RR was glue
> and ODS didn't process the RRSIG at all (2 above).
> I'm also surprised that the auditor didn't complain over the fact
> that the glue A-RRs were signed. If I remember correct it used to
> do that, but maybe only i full mode?
> In the test-case, a full audit after the delegation was changed and
> the zone resigned gave the following output: [root at ns-test
> unsigned]# ods-auditor -f -z test.eu Auditor started Auditor
> starting on test.eu 6: test.eu : SOA differs : from 1 to
> 2012061403 6: test.eu : Auditing test.eu zone : NSEC3 SIGNED 3:
> test.eu : Found RRs for ns3.dom.test.eu 
> (f6arn3nl2f2tog71r9jegncjiaid1ts0.test.eu) which was not covered by
> an NSEC3 record 3: test.eu : Found RRs for ns1.dom.test.eu 
> (gip7rppf16ufvqmlbq537gk6ni77ma9s.test.eu) which was not covered by
> an NSEC3 record 3: test.eu : Found RRs for ns2.dom.test.eu 
> (sphlgq22pk3uga2t1f3tccbqf4hfu0p9.test.eu) which was not covered by
> an NSEC3 record 6: test.eu : Finished auditing test.eu zone Auditor
> found errors - check log for details
> Indicate that the RRSIGs shouldn't be there.
> Manually removing the RRSIGs for the glue A RRs from the zone made
> the auditor run without complains, so maybe the root of these
> problems is that the RRSIGs for the A-RRs that became glue are
> left in the signed zone?
> Also - ODS does not generate RRSIG for glue-RRs in general.
> Removing one of the glue-RRs in the test case, resign, add it
> again, a resign does not recreate a RRSIG for the glue RR. This
> too indicate that the problem is that the RRSIGs are "left" in the
> signed zone when the delegation is changed.
> Comments?
> / GÖran Bengtson Chalmers Univ. of Technology
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Opendnssec-user mailing list