[Opendnssec-user] 1.4.0a1 ods-signerd wrote mangled RRSIG record
Matthijs Mekking
matthijs at nlnetlabs.nl
Thu Jun 21 09:51:40 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Follow up.
With what HSM backend is this? Going through the list of fixed issues,
this sounds familiar to
https://issues.opendnssec.org/browse/ODSPTHIST-294
The problem then was in SoftHSM, which was fixed in 1.1.1, so I guess
that's not it.
I committed a defense mechanism for this, in trunk r6449. You'll need
ldns trunk too (the upcoming 1.6.14, which will be released prior to
OpenDNSSEC 1.4.0). Basically what it does, is every time that ldns is
unable to convert a RDATA into a string, the signer engine uses the
error to prevent writing out the signed zone/journal files. You will
see this in the logs as:
ods-signerd: [adapter] unable to write zone example.com file
/opt/opendnssec/var/opendnssec/signed/example.com: one or more RR
print failed
Please let me know how this works for you.
Best regards,
Matthijs
On 05/22/2012 11:55 AM, Matthijs Mekking wrote:
> Follow up.
>
> I noticed that in the backup file there is:
>
> www.hippiesfromhell.org. 3600 IN RRSIG (null)
> ak8IpXpCo6a67RQbWNp2JTf3ZhmgP6psK40NaI8JB761TOfDkr6kLQQsGqhN35IrU4GnNEV/i31cnIODukEBwgIRbHaWfs4A2ve6NxGaC5L03/HGVVnizOhGbLCxu8mTh9ox57D33VPF9e2NrHX5ltpjE36plGffvKkyMzWSvgs=
>
> I am clueless how that is printed, other than that:
>
> * The signer got a malformed (ldns_rr*) signature from libhsm. The
> RRSIG is printed to the backup file with ldns_rr_print() and if
> there is an unknown or 'NONE' rdf, ldns prints out "(null)".
>
> Also strange is that the RRSIG in the signed output file only
> misses the Covered RRtype Field. Perhaps OpenDNSSEC should use the
> ldns_rr2buffer_str_fmt() function and check on the returned status
> to detect such errors.
>
> By the way, if the malformed backup file is read, the signer will
> complain that the backup cannot be recovered and performs a full
> resign.
>
> Best regards, Matthijs
>
>
> On 04/08/2012 06:46 PM, Paul Wouters wrote:
>
>> I noticed ods-signerd was not running and nsdc rebuild failing
>> to load a signed zone. Here is the snippit of the zone (excuse
>> the linewraps)
>
>> localhost.hippiesfromhell.org. 3600 IN RRSIG A 8 3
>> 3600 20120415060133 20120408153531 14463 hippiesfromhell.org.
>> chfWGylwS0mXfHTgO2GE+eJDTKYjlKbXmeeSDC3b3T85IeFapUPeYWB6t9YW0EelmljxfFUArsQ2x4zTCLS4QCYqVF82b4S8b7HqcjCZOnu9cHtr5okBidvNUshpacAD8rjrvkUzN4DLhkUHsH9tWezJAc+YmmLaAYH0NnpaHxA=
>
>> spjca3c5vaj3nu909q9dmehne80auahm.hippiesfromhell.org. 3600 IN
>> NSEC3 1 0 5 715e22f77cc2f0d7 ulf44lvfajc0jvc293v96s1k62p153lh
>> A RRSIG spjca3c5vaj3nu909q9dmehne80auahm.hippiesfromhell.org.
>> 3600 IN RRSIG NSEC3 8 3 3600 20120414033000 20120407103303
>> 14463 hippiesfromhell.org.
>> isAxQLhvT8ctAbJU1unNnomwgzwqeaLt419G9ZET4afSC5mZojQ/Ohkb092+YD2O6gTZUWi0ZogqEtFHtBpD/CikoBNyxCvvBqaSB2c5kjNLjbSeUyMYZOl+bDyIkUNWaeVL/u+M1ZUM4MRblT1INobBfDyZS2CjfVVtUYBJU38=
>
>> www.hippiesfromhell.org. 3600 IN A 194.109.206.10
>> www.hippiesfromhell.org. 3600 IN RRSIG A 8 3 3600
>> 20120415132541 20120408153531 14463 hippiesfromhell.org.
>> TnxW+5U59P2mrIH3aBeUmgc37YMTZTNLdD5G+R5YhHH6WUmVF3LCLG2WrR8NXxnITrFv/Wukle5219FHKFphROWaHsy4rjqaR/T7lLIl3rbO5Wv2WkMnRkPkPL+GbdkDSXpjn//6069ThayeuaEsJTWX6asAnY4hdwDcMM5HIBI=
>
>> www.hippiesfromhell.org. 3600 IN AAAA
>> 2001:888:2127::2 www.hippiesfromhell.org. 3600 IN RRSIG
>> 3 3600 20120415160824 20120408153531 14463 hippiesfromhell.org.
>> ak8IpXpCo6a67RQbWNp2JTf3ZhmgP6psK40NaI8JB761TOfDkr6kLQQsGqhN35IrU4GnNEV/i31cnIODukEBwgIRbHaWfs4A2ve6NxGaC5L03/HGVVnizOhGbLCxu8mTh9ox57D33VPF9e2NrHX5ltpjE36plGffvKkyMzWSvgs=
>
>> ulf44lvfajc0jvc293v96s1k62p153lh.hippiesfromhell.org. 3600 IN
>> NSEC3 1 0 5 715e22f77cc2f0d7 id80573gdcb27rrljq5019grpmttnnib
>> A AAAA RRSIG
>
>> Note the RRSIG record for www.hippiesfromhell.org has an RRSIG
>> that has "no records" as the list of records it is supposed to
>> cover.
>
>> This zone was generated by 1.4.0a1.
>
>> A tarball of /etc/opendnssec and /var/opendnssec is available on
>> request (but not for public consumption in a bug tracker)
>
>> deleting the signed zone file and resigning resolved the
>> problem.
>
>> Paul _______________________________________________
>> Opendnssec-user mailing list Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJP4u6sAAoJEA8yVCPsQCW5eUIH/juJNAZbrQBNP08cWeu+N5fJ
CHCWldXc9LtDfV8FrDdA3U89O9FcKRw728n72Abs6Lsl0nyI13gGfE3iEXOSh3Xs
yIUa8c2YgnbC+KT7JBryz7SuNmbp2i+yDlKEbYVyiQS0j5jI2OqTLczXn+tgy+M2
20M8snQu2xAMb11EbcGIfpM6FRolWruw8Alex6EEljF2u9CzjdltWEcXvX4OY6Bm
QLud78AEGz7KePhWcosPAbEiYq1uiyxLnx5i8WiiZfpJQUCkFuhnsLm2DSJqz4AL
bnj2o5AQBUy7iTDceia7S8lTkZtv1xn7q5B2NWl8x/snddzwdivWYEVB0nGGnlQ=
=1r37
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list