[Opendnssec-user] Signature failed to cryptographically verify

Gilles Massen gilles.massen at restena.lu
Mon Jun 2 09:56:35 UTC 2014

Hi Jerry,

I think a have a good clue on what went wrong - just don't know how to
prove... (see below)

> On fre, 2014-05-30 at 16:05 +0200, Gilles Massen wrote:
>> I have an error with a zone, and I'm baffled were it comes from.
>> The auditor (yes, still using it) complains about "Signature
>> failed to cryptographically verify, tag = 54711" for about any
>> signature for a given zone.
> If you could share the logs it would help, also if you can get the
> logs with a high verbosity on the Signer.

I'm currently remote with a crap internet connection - so not for the
time being.

This said, when running with "verbosity 5" the signer worked as
expected, at least without an error or warning.

>> I tries ods-signer clear, stopping opendnssec and removing all
>> zone related temp files manually, replacing the entire ods-tree
>> with a known good config from another server - same errors.
> What do you mean with "ods-tree" ?

oh - that's actually related to my install. It's basically configure
--prefix=/usr/local/opendnssec : so the main directories are
etc/opendnssec and var/opendnssec.

> Have you tried validating the zone with validns? Does it give an
> error also?

Yes, it does. The error was "wrong padding" or "wrong pad length" I think.

>> BTW: opendnssec 1.3.14
> Can you upgrade to the latest 1.3 version (1.3.17) and test? Maybe
> on a test platform if you do not want to upgrade production right
> away.

Not immediately. But I will do as soon as possible. This said, what I
figured our is that one specific key was creating the bad signatures.

Our key material is stored in an HSM (Keyper), we have a production
HSM (which is fine) and an identical setup (with copies of the keys)
as backup. And on the backup the signatures failed. I have no errors
in the Keyper's logs, so it really looks as if one specific keys was
corrupted. All other signatures are fine, so the obvious fix was to
roll the keys, and now both systems are fine.

One question that remains: has someone seen this kind of error? Is
that something to be expected?

And does OpenDNSSEC has by any chance a rough tool to create a sig
with a given key referenced by the kasp.db?

best regards,

More information about the Opendnssec-user mailing list