[Opendnssec-user] Problem with salt length 0 in OpenDNSSec 2.1.11

[Erik P. Ostlyngen]

Update: The problem seems to be related to metadata in the .backup2
files (i.e. comment lines), where the salt in nsec3params is written
as an empty string:

;;Nsec3parameters: salt  algorithm 1 optout 1 iterations 0

The following patch appears to stop the error logging (although I have
no idea if it fixes the problem properly):

Index: opendnssec-2.1.11/signer/src/signer/nsec3params.c
===================================================================
--- opendnssec-2.1.11.orig/signer/src/signer/nsec3params.c
+++ opendnssec-2.1.11/signer/src/signer/nsec3params.c
@@ -145,7 +145,7 @@ nsec3params_backup(FILE* fd, uint8_t alg
           return;
       }
       fprintf(fd, ";;Nsec3parameters: salt %s algorithm %u optout %u "
-        "iterations %u\n", salt?salt:"-", (unsigned) algo,
+        "iterations %u\n", strlen(salt) != 0 ? salt : "-", (unsigned)
algo,
           (unsigned) flags, (unsigned) iter);
       if (strcmp(version, ODS_SE_FILE_MAGIC_V2) == 0) {
           if (rr) {

Erik Østlyngen
Norid AS


On 28/10/2022 08.15, Erik P. Ostlyngen wrote:
> Hi,
> 
> I've just updated my testlab to use the 2.1.11 version of 
> OpenDNSSec. So that I can try out the Salt Length="0" 
> configuration. Initially, the configuration seems to work as 
> expected, the signed zone gets an NSEC3PARAM record with value '1
> 0 0 -'.
> 
> However, after I restart the signer, I get the following errors 
> repeated for each of my zones:
> 
> ods-signerd[179661]: [zone] corrupted backup file zone sj: read 
> nsec3parameters error ods-signerd[179661]: [engine] unable to 
> recover zone sj from backup, performing full sign
> 
> The nsec3param record in the tmp/sj.backup2 file looks fine to me 
> ('sj. 0 IN NSEC3PARAM  1 0 0 -'). So I wonder if this might be a 
> problem with the code reading the .backup2 file, as it seem to be 
> confused by the no salt '-' syntax?
> 
> Erik Østlyngen Norid AS