[Opendnssec-user] opendnssec / ldns-verify-zone - A has signature(s), but is occluded (or glue)

Barshani Jalaludeen barshani.jalaludeen at oivan.com
Mon Jun 30 07:52:36 UTC 2025


Hi,

We are getting the error while verify the opendnssec signed zone file - " A has signature(s), but is occluded (or glue)"

Following is  the test cases done on the opendnssec server. I am not sure, it is a bug or do we need to follow some procedure to avoid this issue. Please suggest.



opendnssec version:  opendnssec-2.1.14 , softHSM version: softhsm-2.6.1





example.com zone file:-

------

$ORIGIN example.com.

$TTL 86400

@   IN  SOA     ns1.example.com.   hostmaster.example.com. (

                  2025062628 ; serial

                  7200       ; refresh (2 hours)

                  3600       ; retry (1 hour)

                  1209600    ; expire (2 weeks)

                  3600       ; minimum (1 hour)

                  )

example.com.      3600    IN      NS      ns1.dnsp.com.

example.com.      3600    IN      NS      ns2.dnsp.com.

ns1.dnsp.com.  3600    IN      A       192.0.2.1

ns2.dnsp.com.  3600    IN      A       192.0.2.2

;child zones

site1.example.com.      IN      NS      ns1.site1.example.com.

site1.example.com.      IN      NS      ns2.site1.example.com.

site2.example.com.      IN      NS      ns1.site1.example.com.

site2.example.com.      IN      NS      ns2.site1.example.com.

ns1.site1.example.com.  IN      A       192.168.0.1

ns2.site1.example.com.  IN      A       192.168.0.2





Test case 1: Signing by opendssec working fine with the above example.com zone file. ldns-verify-zone succeeded for the signed zone file without any issue.

Test case 2. From the above zone file if we remove the child zone "site1.example.com.      IN      NS      ns1.site1.example.com."  AND "site1.example.com.      IN      NS      ns2.site1.example.com. " then, the Signer  considering  " ns1.site1.example.com.  86400   IN      A       192.168.0.1 And ns2.site1.example.com.  IN      A       192.168.0.2"  as "A" record and singed file is  with NSEC3 records. Here, ldns-verify-zone is succeeded for the signed zone file and complete.

Test case 3. Now if we add back the (removed child zone) entry  "site1.example.com.      IN      NS      ns1.site1.example.com."  AND "site1.example.com.      IN      NS      ns2.site1.example.com. " then, the Signer again considering ns1.site1.example.com And ns2.site1.example.com. as "A" record and sign the same (without NSEC3 records). Here ldns-verify-zone failing with following error for the signed zone.

r0ts-dns-ids01:/var/opendnssec/signed# ldns-verify-zone /var/opendnssec/signed/example.com

Error: ns1.site1.example.com.   A has signature(s), but is occluded (or glue)

Error: ns2.site1.example.com.   A has signature(s), but is occluded (or glue)

There were errors in the zone





Details:-

Test case 2:

Unsigned  Zone file: example.com

$ORIGIN example.com.

$TTL 86400

@   IN  SOA     ns1.example.com.   hostmaster.example.com. (

                  2025062901 ; serial

                  7200       ; refresh (2 hours)

                  3600       ; retry (1 hour)

                  1209600    ; expire (2 weeks)

                  3600       ; minimum (1 hour)

                  )

example.com.      3600    IN      NS      ns1.dnsp.com.

example.com.      3600    IN      NS      ns2.dnsp.com.

ns1.dnsp.com.  3600    IN      A       192.0.2.1

ns2.dnsp.com.  3600    IN      A       192.0.2.2

;child zones

site2.example.com.      IN      NS      ns1.site1.example.com.

site2.example.com.      IN      NS      ns2.site1.example.com.

ns1.site1.example.com.  IN      A       192.168.0.1

ns2.site1.example.com.  IN      A       192.168.0.2





Signed Zone File:example.com



example.com.    3600    IN      SOA     ns1.example.com. hostmaster.example.com. 2025062903 7200 3600 1209600 3600

example.com.    3600    IN      RRSIG   SOA 13 2 3600 20250713103826 20250629093857 50857 example.com. X/yOKaNg2nSnRKruh6iw/9+v11AiGIGnfMBmM+/hZ51lu2F/yl3MipaRrVY0XzQRmAUvDWhGY0rLYAlEEaNCMw==

example.com.    3600    IN      DNSKEY  257 3 13 95MijHgdYxr1CzIuPE+vdPaWxqKPoAaCGod0hzEa0WugTXSgNgk3XUXklMxbRnWOYBUHbWyw5OmVbuufKDsfeg== ;{id = 41231 (ksk), size = 256b}

example.com.    3600    IN      DNSKEY  256 3 13 WEFhn+zqcTg9bTIiUWQfFcZ2+1epiGlZopAlQ6U8lvabGV2+TH0QHY113wbE/YrcNIqYqOEp76uxZpAqWzSlQA== ;{id = 50857 (zsk), size = 256b}

example.com.    3600    IN      RRSIG   DNSKEY 13 2 3600 20250713102836 20250629092913 41231 example.com. DYAMbh+yhjEKwqIWzCJWGuj6zxEzZ0eDjceBZ8owP3sposej0ey78xFIrICUNmBW82xyiDbmH9ho2rCSF9ik3g==

example.com.    0       IN      NSEC3PARAM      1 0 5 4d91322a387fea14

example.com.    0       IN      RRSIG   NSEC3PARAM 13 2 0 20250713102908 20250629092913 50857 example.com. zxNW+KlSKJ5kxdob/krPTB2F0eFX8mJZZUtRU10Oo6U2T9qnLGqnNd3kwJ5iHuQu4PVsQnHTk06rcuUDQ/KLTQ==

example.com.    3600    IN      NS      ns1.dnsp.com.

example.com.    3600    IN      NS      ns2.dnsp.com.

example.com.    3600    IN      RRSIG   NS 13 2 3600 20250713102907 20250629092913 50857 example.com. tcVd5ekK65yOEKjJFJ5o5/EMOXfCB+5Qk04Wp5nIuwdnsMFPrhCLsps0Tr0vK7sUbjIITnukF+6ldYW3JKRPQg==

1ale25q63qf27j2lrhoqm9um0a3u3e6r.example.com.   3600    IN      NSEC3   1 1 5 4d91322a387fea14  6khjs8s1km7q7o0kiuo75681umgi1vne NS SOA RRSIG DNSKEY NSEC3PARAM

1ale25q63qf27j2lrhoqm9um0a3u3e6r.example.com.   3600    IN      RRSIG   NSEC3 13 3 3600 20250713103836 20250629093857 50857 example.com. kQIXRVlVYtnvevX+FXgOB/dSs28sxyxpt3yClLF6ddJX7zcHL71PwECAlQtVciZ84+TeBB0G1ml0DsO3UHbAHQ==

;;Empty non-terminal site1.example.com.

re7jfp9oitl3mdnjo2icnigv84kp0o2k.example.com.   3600    IN      NSEC3   1 1 5 4d91322a387fea14  1ale25q63qf27j2lrhoqm9um0a3u3e6r

re7jfp9oitl3mdnjo2icnigv84kp0o2k.example.com.   3600    IN      RRSIG   NSEC3 13 3 3600 20250713103937 20250629093857 50857 example.com. KwpkOK2LdtB+k1MkVTXT2tpwQHHE8FGamLzHtsU7ySCWZyMGl9xpkOH/Lag2fQq7ccd3E7/bKP2Uwj+jB5Chsw==

ns1.site1.example.com.  86400   IN      A       192.168.0.1

ns1.site1.example.com.  86400   IN      RRSIG   A 13 4 86400 20250713103810 20250629093857 50857 example.com. ifDngOBydUkZo9JdAlL8MhqxyYsrXIo5iRXN5bsPSWrFfo0fMNAC3MdluIRoJad5/WpEB5eVwIq7g20fLd1GVQ==

6khjs8s1km7q7o0kiuo75681umgi1vne.example.com.   3600    IN      NSEC3   1 1 5 4d91322a387fea14  9mf6b0gr55bvjvt1r7mjhk74oal4o0gf A RRSIG

6khjs8s1km7q7o0kiuo75681umgi1vne.example.com.   3600    IN      RRSIG   NSEC3 13 3 3600 20250713103903 20250629093857 50857 example.com. gIAkLHKiIGqPyRZImhY7Eq0oOiyXZQvYHYAEceuBTaSN7WxYtZcdt+JpztJ35tc6dX4eY+rK5CffpGY8hI7y7A==

ns2.site1.example.com.  86400   IN      A       192.168.0.2

ns2.site1.example.com.  86400   IN      RRSIG   A 13 4 86400 20250713103953 20250629093857 50857 example.com. pKiTdWEWLxWi2BlptnVecYhXde+65JzTmtvBbsWx3KFYxLjDKkEEtOejpujDL8mCW5ssEXjnjiqqnZgj7/TGww==

9mf6b0gr55bvjvt1r7mjhk74oal4o0gf.example.com.   3600    IN      NSEC3   1 1 5 4d91322a387fea14  re7jfp9oitl3mdnjo2icnigv84kp0o2k A RRSIG

9mf6b0gr55bvjvt1r7mjhk74oal4o0gf.example.com.   3600    IN      RRSIG   NSEC3 13 3 3600 20250713103915 20250629093857 50857 example.com. BNIl/sn22QWiF4KIsS4+jXLPheV/pVDxAT14Lt29kvnyCkv6DFYJAYLbXZT9RmVHLN4q14CABKu4zCuQ7WUyDg==

site2.example.com.      86400   IN      NS      ns1.site1.example.com.

site2.example.com.      86400   IN      NS      ns2.site1.example.com.









Test case 3:

Unsigned zone file: example.com

$ORIGIN example.com.

$TTL 86400

@   IN  SOA     ns1.example.com.   hostmaster.example.com. (

                  2025062901 ; serial

                  7200       ; refresh (2 hours)

                  3600       ; retry (1 hour)

                  1209600    ; expire (2 weeks)

                  3600       ; minimum (1 hour)

                  )

example.com.      3600    IN      NS      ns1.dnsp.com.

example.com.      3600    IN      NS      ns2.dnsp.com.

ns1.dnsp.com.  3600    IN      A       192.0.2.1

ns2.dnsp.com.  3600    IN      A       192.0.2.2

;child zones

site1.example.com.      IN      NS      ns1.site1.example.com.

site1.example.com.      IN      NS      ns2.site1.example.com.

site2.example.com.      IN      NS      ns1.site1.example.com.

site2.example.com.      IN      NS      ns2.site1.example.com.

ns1.site1.example.com.  IN      A       192.168.0.1

ns2.site1.example.com.  IN      A       192.168.0.2







Signed Zone file: example.com

example.com.    3600    IN      SOA     ns1.example.com. hostmaster.example.com. 2025062904 7200 3600 1209600 3600

example.com.    3600    IN      RRSIG   SOA 13 2 3600 20250713105836 20250629095744 50857 example.com. TIDrmS7eA9Et/VdX0sCWRN3LO4aT8PymaE4Le4BV8lrBDNc8TaWZEkMAO4ygkpliMNDS/6xlMeDXSYzjHuloVA==

example.com.    3600    IN      DNSKEY  257 3 13 95MijHgdYxr1CzIuPE+vdPaWxqKPoAaCGod0hzEa0WugTXSgNgk3XUXklMxbRnWOYBUHbWyw5OmVbuufKDsfeg== ;{id = 41231 (ksk), size = 256b}

example.com.    3600    IN      DNSKEY  256 3 13 WEFhn+zqcTg9bTIiUWQfFcZ2+1epiGlZopAlQ6U8lvabGV2+TH0QHY113wbE/YrcNIqYqOEp76uxZpAqWzSlQA== ;{id = 50857 (zsk), size = 256b}

example.com.    3600    IN      RRSIG   DNSKEY 13 2 3600 20250713102836 20250629092913 41231 example.com. DYAMbh+yhjEKwqIWzCJWGuj6zxEzZ0eDjceBZ8owP3sposej0ey78xFIrICUNmBW82xyiDbmH9ho2rCSF9ik3g==

example.com.    0       IN      NSEC3PARAM      1 0 5 4d91322a387fea14

example.com.    0       IN      RRSIG   NSEC3PARAM 13 2 0 20250713102908 20250629092913 50857 example.com. zxNW+KlSKJ5kxdob/krPTB2F0eFX8mJZZUtRU10Oo6U2T9qnLGqnNd3kwJ5iHuQu4PVsQnHTk06rcuUDQ/KLTQ==

example.com.    3600    IN      NS      ns1.dnsp.com.

example.com.    3600    IN      NS      ns2.dnsp.com.

example.com.    3600    IN      RRSIG   NS 13 2 3600 20250713102907 20250629092913 50857 example.com. tcVd5ekK65yOEKjJFJ5o5/EMOXfCB+5Qk04Wp5nIuwdnsMFPrhCLsps0Tr0vK7sUbjIITnukF+6ldYW3JKRPQg==

1ale25q63qf27j2lrhoqm9um0a3u3e6r.example.com.   3600    IN      NSEC3   1 1 5 4d91322a387fea14  1ale25q63qf27j2lrhoqm9um0a3u3e6r NS SOA RRSIG DNSKEY NSEC3PARAM

1ale25q63qf27j2lrhoqm9um0a3u3e6r.example.com.   3600    IN      RRSIG   NSEC3 13 3 3600 20250713105659 20250629095744 50857 example.com. EeyBPLB1tAvIo0DLt3N+QAQDPMu3T54r0eWfR9DyrwsdTv8TRtAOrcf/JdOlDa85fzBdInZCmJf1UXi/ebXXIw==

site1.example.com.      86400   IN      NS      ns1.site1.example.com.

site1.example.com.      86400   IN      NS      ns2.site1.example.com.

ns1.site1.example.com.  86400   IN      A       192.168.0.1

ns1.site1.example.com.  86400   IN      RRSIG   A 13 4 86400 20250713103810 20250629093857 50857 example.com. ifDngOBydUkZo9JdAlL8MhqxyYsrXIo5iRXN5bsPSWrFfo0fMNAC3MdluIRoJad5/WpEB5eVwIq7g20fLd1GVQ==

ns2.site1.example.com.  86400   IN      A       192.168.0.2

ns2.site1.example.com.  86400   IN      RRSIG   A 13 4 86400 20250713103953 20250629093857 50857 example.com. pKiTdWEWLxWi2BlptnVecYhXde+65JzTmtvBbsWx3KFYxLjDKkEEtOejpujDL8mCW5ssEXjnjiqqnZgj7/TGww==

site2.example.com.      86400   IN      NS      ns1.site1.example.com.

site2.example.com.      86400   IN      NS      ns2.site1.example.com.





r0ts-dns-ids01:/var/opendnssec/signed# ldns-verify-zone /var/opendnssec/signed/example.com

Error: ns1.site1.example.com.   A has signature(s), but is occluded (or glue)

Error: ns2.site1.example.com.   A has signature(s), but is occluded (or glue)

There were errors in the zone







Thanks





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20250630/d4f95bf9/attachment-0001.htm>


More information about the Opendnssec-user mailing list