[Opendnssec-user] 1.4.0a1 ods-signerd wrote mangled RRSIG record

Matthijs Mekking matthijs at nlnetlabs.nl
Tue May 22 09:55:59 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Follow up.

I noticed that in the backup file there is:

www.hippiesfromhell.org.	3600	IN	RRSIG	(null)
ak8IpXpCo6a67RQbWNp2JTf3ZhmgP6psK40NaI8JB761TOfDkr6kLQQsGqhN35IrU4GnNEV/i31cnIODukEBwgIRbHaWfs4A2ve6NxGaC5L03/HGVVnizOhGbLCxu8mTh9ox57D33VPF9e2NrHX5ltpjE36plGffvKkyMzWSvgs=

I am clueless how that is printed, other than that:

* The signer got a malformed (ldns_rr*) signature from libhsm. The
RRSIG is printed to the backup file with ldns_rr_print() and if there
is an unknown or 'NONE' rdf, ldns prints out "(null)".

Also strange is that the RRSIG in the signed output file only misses
the Covered RRtype Field. Perhaps OpenDNSSEC should use the
ldns_rr2buffer_str_fmt() function and check on the returned status to
detect such errors.

By the way, if the malformed backup file is read, the signer will
complain that the backup cannot be recovered and performs a full resign.

Best regards,
  Matthijs


On 04/08/2012 06:46 PM, Paul Wouters wrote:
> 
> I noticed ods-signerd was not running and nsdc rebuild failing to
> load a signed zone. Here is the snippit of the zone (excuse the
> linewraps)
> 
> localhost.hippiesfromhell.org.  3600    IN      RRSIG   A 8 3 3600 
> 20120415060133 20120408153531 14463 hippiesfromhell.org. 
> chfWGylwS0mXfHTgO2GE+eJDTKYjlKbXmeeSDC3b3T85IeFapUPeYWB6t9YW0EelmljxfFUArsQ2x4zTCLS4QCYqVF82b4S8b7HqcjCZOnu9cHtr5okBidvNUshpacAD8rjrvkUzN4DLhkUHsH9tWezJAc+YmmLaAYH0NnpaHxA=
>
>  spjca3c5vaj3nu909q9dmehne80auahm.hippiesfromhell.org.   3600
> IN NSEC3   1 0 5 715e22f77cc2f0d7  ulf44lvfajc0jvc293v96s1k62p153lh
> A RRSIG spjca3c5vaj3nu909q9dmehne80auahm.hippiesfromhell.org.
> 3600    IN RRSIG   NSEC3 8 3 3600 20120414033000 20120407103303
> 14463 hippiesfromhell.org. 
> isAxQLhvT8ctAbJU1unNnomwgzwqeaLt419G9ZET4afSC5mZojQ/Ohkb092+YD2O6gTZUWi0ZogqEtFHtBpD/CikoBNyxCvvBqaSB2c5kjNLjbSeUyMYZOl+bDyIkUNWaeVL/u+M1ZUM4MRblT1INobBfDyZS2CjfVVtUYBJU38=
>
>  www.hippiesfromhell.org.        3600    IN      A
> 194.109.206.10 www.hippiesfromhell.org.        3600    IN
> RRSIG   A 8 3 3600 20120415132541 20120408153531 14463
> hippiesfromhell.org. 
> TnxW+5U59P2mrIH3aBeUmgc37YMTZTNLdD5G+R5YhHH6WUmVF3LCLG2WrR8NXxnITrFv/Wukle5219FHKFphROWaHsy4rjqaR/T7lLIl3rbO5Wv2WkMnRkPkPL+GbdkDSXpjn//6069ThayeuaEsJTWX6asAnY4hdwDcMM5HIBI=
>
>  www.hippiesfromhell.org.        3600    IN      AAAA
> 2001:888:2127::2 www.hippiesfromhell.org.        3600    IN
> RRSIG     3 3600 20120415160824 20120408153531 14463
> hippiesfromhell.org. 
> ak8IpXpCo6a67RQbWNp2JTf3ZhmgP6psK40NaI8JB761TOfDkr6kLQQsGqhN35IrU4GnNEV/i31cnIODukEBwgIRbHaWfs4A2ve6NxGaC5L03/HGVVnizOhGbLCxu8mTh9ox57D33VPF9e2NrHX5ltpjE36plGffvKkyMzWSvgs=
>
>  ulf44lvfajc0jvc293v96s1k62p153lh.hippiesfromhell.org.   3600
> IN NSEC3   1 0 5 715e22f77cc2f0d7  id80573gdcb27rrljq5019grpmttnnib
> A AAAA RRSIG
> 
> Note the RRSIG record for www.hippiesfromhell.org has an RRSIG that
> has "no records" as the list of records it is supposed to cover.
> 
> This zone was generated by 1.4.0a1.
> 
> A tarball of /etc/opendnssec and /var/opendnssec is available on 
> request (but not for public consumption in a bug tracker)
> 
> deleting the signed zone file and resigning resolved the problem.
> 
> Paul _______________________________________________ 
> Opendnssec-user mailing list Opendnssec-user at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPu2KvAAoJEA8yVCPsQCW5uFsIAL159P2UVrUyWlniwrD/kxcm
cMUmnJh0efGnwIavMNEgkqBB3HLiSe7vVQln7lPxzwUAoBdXLURGMP4I7SRAVINk
T6aWaQdgYqcGFqAOnrjPbRAd+Rw7q4vwfV1vvZdds0YnKLSUY7ePRbHcNBKYCw0O
k94jLmRErgNX0edpyMp3q7UT13ghMg10mZxVGKnM5Uot1/ygSR9srCJtLgo6ls8o
4RmdSSwN/fnn6r4w5Ll/pJL3yD/+VK/OsoBeZ6VYdGARko+H6O1jcoCJYhsqTpfQ
/Ob8rFzlMKR88ihS4Hz1LmKEXjGVstv60YuLf2VTyPH0XMqZk5dVU/cz5EN79PA=
=VASu
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list