From barshani.jalaludeen at oivan.com Mon Jun 30 07:52:36 2025 From: barshani.jalaludeen at oivan.com (Barshani Jalaludeen) Date: Mon, 30 Jun 2025 07:52:36 +0000 Subject: [Opendnssec-user] opendnssec / ldns-verify-zone - A has signature(s), but is occluded (or glue) Message-ID: Hi, We are getting the error while verify the opendnssec signed zone file - " A has signature(s), but is occluded (or glue)" Following is the test cases done on the opendnssec server. I am not sure, it is a bug or do we need to follow some procedure to avoid this issue. Please suggest. opendnssec version: opendnssec-2.1.14 , softHSM version: softhsm-2.6.1 example.com zone file:- ------ $ORIGIN example.com. $TTL 86400 @ IN SOA ns1.example.com. hostmaster.example.com. ( 2025062628 ; serial 7200 ; refresh (2 hours) 3600 ; retry (1 hour) 1209600 ; expire (2 weeks) 3600 ; minimum (1 hour) ) example.com. 3600 IN NS ns1.dnsp.com. example.com. 3600 IN NS ns2.dnsp.com. ns1.dnsp.com. 3600 IN A 192.0.2.1 ns2.dnsp.com. 3600 IN A 192.0.2.2 ;child zones site1.example.com. IN NS ns1.site1.example.com. site1.example.com. IN NS ns2.site1.example.com. site2.example.com. IN NS ns1.site1.example.com. site2.example.com. IN NS ns2.site1.example.com. ns1.site1.example.com. IN A 192.168.0.1 ns2.site1.example.com. IN A 192.168.0.2 Test case 1: Signing by opendssec working fine with the above example.com zone file. ldns-verify-zone succeeded for the signed zone file without any issue. Test case 2. From the above zone file if we remove the child zone "site1.example.com. IN NS ns1.site1.example.com." AND "site1.example.com. IN NS ns2.site1.example.com. " then, the Signer considering " ns1.site1.example.com. 86400 IN A 192.168.0.1 And ns2.site1.example.com. IN A 192.168.0.2" as "A" record and singed file is with NSEC3 records. Here, ldns-verify-zone is succeeded for the signed zone file and complete. Test case 3. Now if we add back the (removed child zone) entry "site1.example.com. IN NS ns1.site1.example.com." AND "site1.example.com. IN NS ns2.site1.example.com. " then, the Signer again considering ns1.site1.example.com And ns2.site1.example.com. as "A" record and sign the same (without NSEC3 records). Here ldns-verify-zone failing with following error for the signed zone. r0ts-dns-ids01:/var/opendnssec/signed# ldns-verify-zone /var/opendnssec/signed/example.com Error: ns1.site1.example.com. A has signature(s), but is occluded (or glue) Error: ns2.site1.example.com. A has signature(s), but is occluded (or glue) There were errors in the zone Details:- Test case 2: Unsigned Zone file: example.com $ORIGIN example.com. $TTL 86400 @ IN SOA ns1.example.com. hostmaster.example.com. ( 2025062901 ; serial 7200 ; refresh (2 hours) 3600 ; retry (1 hour) 1209600 ; expire (2 weeks) 3600 ; minimum (1 hour) ) example.com. 3600 IN NS ns1.dnsp.com. example.com. 3600 IN NS ns2.dnsp.com. ns1.dnsp.com. 3600 IN A 192.0.2.1 ns2.dnsp.com. 3600 IN A 192.0.2.2 ;child zones site2.example.com. IN NS ns1.site1.example.com. site2.example.com. IN NS ns2.site1.example.com. ns1.site1.example.com. IN A 192.168.0.1 ns2.site1.example.com. IN A 192.168.0.2 Signed Zone File:example.com example.com. 3600 IN SOA ns1.example.com. hostmaster.example.com. 2025062903 7200 3600 1209600 3600 example.com. 3600 IN RRSIG SOA 13 2 3600 20250713103826 20250629093857 50857 example.com. X/yOKaNg2nSnRKruh6iw/9+v11AiGIGnfMBmM+/hZ51lu2F/yl3MipaRrVY0XzQRmAUvDWhGY0rLYAlEEaNCMw== example.com. 3600 IN DNSKEY 257 3 13 95MijHgdYxr1CzIuPE+vdPaWxqKPoAaCGod0hzEa0WugTXSgNgk3XUXklMxbRnWOYBUHbWyw5OmVbuufKDsfeg== ;{id = 41231 (ksk), size = 256b} example.com. 3600 IN DNSKEY 256 3 13 WEFhn+zqcTg9bTIiUWQfFcZ2+1epiGlZopAlQ6U8lvabGV2+TH0QHY113wbE/YrcNIqYqOEp76uxZpAqWzSlQA== ;{id = 50857 (zsk), size = 256b} example.com. 3600 IN RRSIG DNSKEY 13 2 3600 20250713102836 20250629092913 41231 example.com. DYAMbh+yhjEKwqIWzCJWGuj6zxEzZ0eDjceBZ8owP3sposej0ey78xFIrICUNmBW82xyiDbmH9ho2rCSF9ik3g== example.com. 0 IN NSEC3PARAM 1 0 5 4d91322a387fea14 example.com. 0 IN RRSIG NSEC3PARAM 13 2 0 20250713102908 20250629092913 50857 example.com. zxNW+KlSKJ5kxdob/krPTB2F0eFX8mJZZUtRU10Oo6U2T9qnLGqnNd3kwJ5iHuQu4PVsQnHTk06rcuUDQ/KLTQ== example.com. 3600 IN NS ns1.dnsp.com. example.com. 3600 IN NS ns2.dnsp.com. example.com. 3600 IN RRSIG NS 13 2 3600 20250713102907 20250629092913 50857 example.com. tcVd5ekK65yOEKjJFJ5o5/EMOXfCB+5Qk04Wp5nIuwdnsMFPrhCLsps0Tr0vK7sUbjIITnukF+6ldYW3JKRPQg== 1ale25q63qf27j2lrhoqm9um0a3u3e6r.example.com. 3600 IN NSEC3 1 1 5 4d91322a387fea14 6khjs8s1km7q7o0kiuo75681umgi1vne NS SOA RRSIG DNSKEY NSEC3PARAM 1ale25q63qf27j2lrhoqm9um0a3u3e6r.example.com. 3600 IN RRSIG NSEC3 13 3 3600 20250713103836 20250629093857 50857 example.com. kQIXRVlVYtnvevX+FXgOB/dSs28sxyxpt3yClLF6ddJX7zcHL71PwECAlQtVciZ84+TeBB0G1ml0DsO3UHbAHQ== ;;Empty non-terminal site1.example.com. re7jfp9oitl3mdnjo2icnigv84kp0o2k.example.com. 3600 IN NSEC3 1 1 5 4d91322a387fea14 1ale25q63qf27j2lrhoqm9um0a3u3e6r re7jfp9oitl3mdnjo2icnigv84kp0o2k.example.com. 3600 IN RRSIG NSEC3 13 3 3600 20250713103937 20250629093857 50857 example.com. KwpkOK2LdtB+k1MkVTXT2tpwQHHE8FGamLzHtsU7ySCWZyMGl9xpkOH/Lag2fQq7ccd3E7/bKP2Uwj+jB5Chsw== ns1.site1.example.com. 86400 IN A 192.168.0.1 ns1.site1.example.com. 86400 IN RRSIG A 13 4 86400 20250713103810 20250629093857 50857 example.com. ifDngOBydUkZo9JdAlL8MhqxyYsrXIo5iRXN5bsPSWrFfo0fMNAC3MdluIRoJad5/WpEB5eVwIq7g20fLd1GVQ== 6khjs8s1km7q7o0kiuo75681umgi1vne.example.com. 3600 IN NSEC3 1 1 5 4d91322a387fea14 9mf6b0gr55bvjvt1r7mjhk74oal4o0gf A RRSIG 6khjs8s1km7q7o0kiuo75681umgi1vne.example.com. 3600 IN RRSIG NSEC3 13 3 3600 20250713103903 20250629093857 50857 example.com. gIAkLHKiIGqPyRZImhY7Eq0oOiyXZQvYHYAEceuBTaSN7WxYtZcdt+JpztJ35tc6dX4eY+rK5CffpGY8hI7y7A== ns2.site1.example.com. 86400 IN A 192.168.0.2 ns2.site1.example.com. 86400 IN RRSIG A 13 4 86400 20250713103953 20250629093857 50857 example.com. pKiTdWEWLxWi2BlptnVecYhXde+65JzTmtvBbsWx3KFYxLjDKkEEtOejpujDL8mCW5ssEXjnjiqqnZgj7/TGww== 9mf6b0gr55bvjvt1r7mjhk74oal4o0gf.example.com. 3600 IN NSEC3 1 1 5 4d91322a387fea14 re7jfp9oitl3mdnjo2icnigv84kp0o2k A RRSIG 9mf6b0gr55bvjvt1r7mjhk74oal4o0gf.example.com. 3600 IN RRSIG NSEC3 13 3 3600 20250713103915 20250629093857 50857 example.com. BNIl/sn22QWiF4KIsS4+jXLPheV/pVDxAT14Lt29kvnyCkv6DFYJAYLbXZT9RmVHLN4q14CABKu4zCuQ7WUyDg== site2.example.com. 86400 IN NS ns1.site1.example.com. site2.example.com. 86400 IN NS ns2.site1.example.com. Test case 3: Unsigned zone file: example.com $ORIGIN example.com. $TTL 86400 @ IN SOA ns1.example.com. hostmaster.example.com. ( 2025062901 ; serial 7200 ; refresh (2 hours) 3600 ; retry (1 hour) 1209600 ; expire (2 weeks) 3600 ; minimum (1 hour) ) example.com. 3600 IN NS ns1.dnsp.com. example.com. 3600 IN NS ns2.dnsp.com. ns1.dnsp.com. 3600 IN A 192.0.2.1 ns2.dnsp.com. 3600 IN A 192.0.2.2 ;child zones site1.example.com. IN NS ns1.site1.example.com. site1.example.com. IN NS ns2.site1.example.com. site2.example.com. IN NS ns1.site1.example.com. site2.example.com. IN NS ns2.site1.example.com. ns1.site1.example.com. IN A 192.168.0.1 ns2.site1.example.com. IN A 192.168.0.2 Signed Zone file: example.com example.com. 3600 IN SOA ns1.example.com. hostmaster.example.com. 2025062904 7200 3600 1209600 3600 example.com. 3600 IN RRSIG SOA 13 2 3600 20250713105836 20250629095744 50857 example.com. TIDrmS7eA9Et/VdX0sCWRN3LO4aT8PymaE4Le4BV8lrBDNc8TaWZEkMAO4ygkpliMNDS/6xlMeDXSYzjHuloVA== example.com. 3600 IN DNSKEY 257 3 13 95MijHgdYxr1CzIuPE+vdPaWxqKPoAaCGod0hzEa0WugTXSgNgk3XUXklMxbRnWOYBUHbWyw5OmVbuufKDsfeg== ;{id = 41231 (ksk), size = 256b} example.com. 3600 IN DNSKEY 256 3 13 WEFhn+zqcTg9bTIiUWQfFcZ2+1epiGlZopAlQ6U8lvabGV2+TH0QHY113wbE/YrcNIqYqOEp76uxZpAqWzSlQA== ;{id = 50857 (zsk), size = 256b} example.com. 3600 IN RRSIG DNSKEY 13 2 3600 20250713102836 20250629092913 41231 example.com. DYAMbh+yhjEKwqIWzCJWGuj6zxEzZ0eDjceBZ8owP3sposej0ey78xFIrICUNmBW82xyiDbmH9ho2rCSF9ik3g== example.com. 0 IN NSEC3PARAM 1 0 5 4d91322a387fea14 example.com. 0 IN RRSIG NSEC3PARAM 13 2 0 20250713102908 20250629092913 50857 example.com. zxNW+KlSKJ5kxdob/krPTB2F0eFX8mJZZUtRU10Oo6U2T9qnLGqnNd3kwJ5iHuQu4PVsQnHTk06rcuUDQ/KLTQ== example.com. 3600 IN NS ns1.dnsp.com. example.com. 3600 IN NS ns2.dnsp.com. example.com. 3600 IN RRSIG NS 13 2 3600 20250713102907 20250629092913 50857 example.com. tcVd5ekK65yOEKjJFJ5o5/EMOXfCB+5Qk04Wp5nIuwdnsMFPrhCLsps0Tr0vK7sUbjIITnukF+6ldYW3JKRPQg== 1ale25q63qf27j2lrhoqm9um0a3u3e6r.example.com. 3600 IN NSEC3 1 1 5 4d91322a387fea14 1ale25q63qf27j2lrhoqm9um0a3u3e6r NS SOA RRSIG DNSKEY NSEC3PARAM 1ale25q63qf27j2lrhoqm9um0a3u3e6r.example.com. 3600 IN RRSIG NSEC3 13 3 3600 20250713105659 20250629095744 50857 example.com. EeyBPLB1tAvIo0DLt3N+QAQDPMu3T54r0eWfR9DyrwsdTv8TRtAOrcf/JdOlDa85fzBdInZCmJf1UXi/ebXXIw== site1.example.com. 86400 IN NS ns1.site1.example.com. site1.example.com. 86400 IN NS ns2.site1.example.com. ns1.site1.example.com. 86400 IN A 192.168.0.1 ns1.site1.example.com. 86400 IN RRSIG A 13 4 86400 20250713103810 20250629093857 50857 example.com. ifDngOBydUkZo9JdAlL8MhqxyYsrXIo5iRXN5bsPSWrFfo0fMNAC3MdluIRoJad5/WpEB5eVwIq7g20fLd1GVQ== ns2.site1.example.com. 86400 IN A 192.168.0.2 ns2.site1.example.com. 86400 IN RRSIG A 13 4 86400 20250713103953 20250629093857 50857 example.com. pKiTdWEWLxWi2BlptnVecYhXde+65JzTmtvBbsWx3KFYxLjDKkEEtOejpujDL8mCW5ssEXjnjiqqnZgj7/TGww== site2.example.com. 86400 IN NS ns1.site1.example.com. site2.example.com. 86400 IN NS ns2.site1.example.com. r0ts-dns-ids01:/var/opendnssec/signed# ldns-verify-zone /var/opendnssec/signed/example.com Error: ns1.site1.example.com. A has signature(s), but is occluded (or glue) Error: ns2.site1.example.com. A has signature(s), but is occluded (or glue) There were errors in the zone Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From he at uninett.no Mon Jun 30 11:49:25 2025 From: he at uninett.no (Havard Eidnes) Date: Mon, 30 Jun 2025 13:49:25 +0200 (CEST) Subject: [Opendnssec-user] opendnssec / ldns-verify-zone - A has signature(s), but is occluded (or glue) In-Reply-To: References: Message-ID: <20250630.134925.1061436641722647116.he@uninett.no> > We are getting the error while verify the opendnssec signed > zone file - " A has signature(s), but is occluded (or glue)" Yep, I see what's going on. > Following is the test cases done on the opendnssec server. I am > not sure, it is a bug or do we need to follow some procedure to > avoid this issue. Please suggest. In general, the remedy for this is to remove non-glue non-authoritative data from your un-signed zone. However... It seems that the operations you are performing, in particular going from #2 where the site1.example.com delegation has been removed to re-introducing site1.example.com as a delegated zone in step #3 is changing the "glueness" of the A records for ns1.site1.example.com. ns2.site1.example.com. and it's entirely possible that OpenDNSSEC doesn't handle that correctly, and instead retains the signatures for those A records which were (correctly) computed in step #2. A possible workaround is to remove both the delegation of site1.example.com and the glue records, have OpenDNSSEC sign that zone, and then re-introduce both at the same time and have OpenDNSSEC do a new signing operation. Best regards, - H?vard From barshani.jalaludeen at oivan.com Mon Jun 30 14:23:02 2025 From: barshani.jalaludeen at oivan.com (Barshani Jalaludeen) Date: Mon, 30 Jun 2025 14:23:02 +0000 Subject: [Opendnssec-user] opendnssec / ldns-verify-zone - A has signature(s), but is occluded (or glue) In-Reply-To: <20250630.134925.1061436641722647116.he@uninett.no> References: <20250630.134925.1061436641722647116.he@uninett.no> Message-ID: Hi Havard, Thanks for your quick support. We did the following, without update any record in unsigned zone file after test case3 # Occluded (glue) issue. cd /var/opendnssec/unsigned/ r0ts-dns-ids01:/var/opendnssec/unsigned# sudo -u ods ods-signer clear example.com Internal zone information about example.com cleared sudo -u ods ods-signer sign example.com cd /var/opendnssec/signed cat example.com r0ts-dns-ids01:/var/opendnssec/signed# ldns-verify-zone /var/opendnssec/signed/example.com Zone is verified and complete It seems signing of example.com working fine. Note:- Is this means bug in opendnssec to handle such scenario? Any suggestion please. Thanks -----Original Message----- From: Havard Eidnes Sent: Monday, June 30, 2025 2:49 PM To: Barshani Jalaludeen Cc: opendnssec-user at lists.opendnssec.org Subject: Re: [Opendnssec-user] opendnssec / ldns-verify-zone - A has signature(s), but is occluded (or glue) CAUTION: This email originated from outside Oivan. Do not click links or open attachments unless you recognize the sender and know the content is safe. > We are getting the error while verify the opendnssec signed zone file > - " A has signature(s), but is occluded (or glue)" Yep, I see what's going on. > Following is the test cases done on the opendnssec server. I am not > sure, it is a bug or do we need to follow some procedure to avoid this > issue. Please suggest. In general, the remedy for this is to remove non-glue non-authoritative data from your un-signed zone. However... It seems that the operations you are performing, in particular going from #2 where the site1.example.com delegation has been removed to re-introducing site1.example.com as a delegated zone in step #3 is changing the "glueness" of the A records for ns1.site1.example.com. ns2.site1.example.com. and it's entirely possible that OpenDNSSEC doesn't handle that correctly, and instead retains the signatures for those A records which were (correctly) computed in step #2. A possible workaround is to remove both the delegation of site1.example.com and the glue records, have OpenDNSSEC sign that zone, and then re-introduce both at the same time and have OpenDNSSEC do a new signing operation. Best regards, - H?vard