[Opendnssec-user] Problem with salt length 0 in OpenDNSSec 2.1.11

Berry van Halderen berry at nlnetlabs.nl
Fri Oct 28 10:36:29 UTC 2022 

On 2022-10-28 10:57, Erik P. Ostlyngen via Opendnssec-user wrote:
> Update: The problem seems to be related to metadata in the .backup2
> files (i.e. comment lines), where the salt in nsec3params is written
> as an empty string:
> 
> ;;Nsec3parameters: salt  algorithm 1 optout 1 iterations 0

Dear Erik, et al,

Correct, I'm also working on it.  This causes the whole zone to
get re-signed upon restart.  Which isn't fatal, but expect a next
release soon.  I was thinking about the same lines as your fix,
but I'm not sure it is complete yet..

\Berry

> The following patch appears to stop the error logging (although I have
> no idea if it fixes the problem properly):
> 
> Index: opendnssec-2.1.11/signer/src/signer/nsec3params.c
> ===================================================================
> --- opendnssec-2.1.11.orig/signer/src/signer/nsec3params.c
> +++ opendnssec-2.1.11/signer/src/signer/nsec3params.c
> @@ -145,7 +145,7 @@ nsec3params_backup(FILE* fd, uint8_t alg
>           return;
>       }
>       fprintf(fd, ";;Nsec3parameters: salt %s algorithm %u optout %u "
> -        "iterations %u\n", salt?salt:"-", (unsigned) algo,
> +        "iterations %u\n", strlen(salt) != 0 ? salt : "-", (unsigned)
> algo,
>           (unsigned) flags, (unsigned) iter);
>       if (strcmp(version, ODS_SE_FILE_MAGIC_V2) == 0) {
>           if (rr) {
> 
> Erik Østlyngen
> Norid AS
> 
> 
> On 28/10/2022 08.15, Erik P. Ostlyngen wrote:
>> Hi,
>> 
>> I've just updated my testlab to use the 2.1.11 version of OpenDNSSec. 
>> So that I can try out the Salt Length="0" configuration. Initially, 
>> the configuration seems to work as expected, the signed zone gets an 
>> NSEC3PARAM record with value '1
>> 0 0 -'.
>> 
>> However, after I restart the signer, I get the following errors 
>> repeated for each of my zones:
>> 
>> ods-signerd[179661]: [zone] corrupted backup file zone sj: read 
>> nsec3parameters error ods-signerd[179661]: [engine] unable to recover 
>> zone sj from backup, performing full sign
>> 
>> The nsec3param record in the tmp/sj.backup2 file looks fine to me 
>> ('sj. 0 IN NSEC3PARAM  1 0 0 -'). So I wonder if this might be a 
>> problem with the code reading the .backup2 file, as it seem to be 
>> confused by the no salt '-' syntax?
>> 
>> Erik Østlyngen Norid AS
> 
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list