[Opendnssec-user] opendnssec / ldns-verify-zone - A has signature(s), but is occluded (or glue)
Barshani Jalaludeen
barshani.jalaludeen at oivan.com
Mon Jun 30 07:52:36 UTC 2025
Hi,
We are getting the error while verify the opendnssec signed zone file - " A has signature(s), but is occluded (or glue)"
Following is the test cases done on the opendnssec server. I am not sure, it is a bug or do we need to follow some procedure to avoid this issue. Please suggest.
opendnssec version: opendnssec-2.1.14 , softHSM version: softhsm-2.6.1
example.com zone file:-
------
$ORIGIN example.com.
$TTL 86400
@ IN SOA ns1.example.com. hostmaster.example.com. (
2025062628 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
example.com. 3600 IN NS ns1.dnsp.com.
example.com. 3600 IN NS ns2.dnsp.com.
ns1.dnsp.com. 3600 IN A 192.0.2.1
ns2.dnsp.com. 3600 IN A 192.0.2.2
;child zones
site1.example.com. IN NS ns1.site1.example.com.
site1.example.com. IN NS ns2.site1.example.com.
site2.example.com. IN NS ns1.site1.example.com.
site2.example.com. IN NS ns2.site1.example.com.
ns1.site1.example.com. IN A 192.168.0.1
ns2.site1.example.com. IN A 192.168.0.2
Test case 1: Signing by opendssec working fine with the above example.com zone file. ldns-verify-zone succeeded for the signed zone file without any issue.
Test case 2. From the above zone file if we remove the child zone "site1.example.com. IN NS ns1.site1.example.com." AND "site1.example.com. IN NS ns2.site1.example.com. " then, the Signer considering " ns1.site1.example.com. 86400 IN A 192.168.0.1 And ns2.site1.example.com. IN A 192.168.0.2" as "A" record and singed file is with NSEC3 records. Here, ldns-verify-zone is succeeded for the signed zone file and complete.
Test case 3. Now if we add back the (removed child zone) entry "site1.example.com. IN NS ns1.site1.example.com." AND "site1.example.com. IN NS ns2.site1.example.com. " then, the Signer again considering ns1.site1.example.com And ns2.site1.example.com. as "A" record and sign the same (without NSEC3 records). Here ldns-verify-zone failing with following error for the signed zone.
r0ts-dns-ids01:/var/opendnssec/signed# ldns-verify-zone /var/opendnssec/signed/example.com
Error: ns1.site1.example.com. A has signature(s), but is occluded (or glue)
Error: ns2.site1.example.com. A has signature(s), but is occluded (or glue)
There were errors in the zone
Details:-
Test case 2:
Unsigned Zone file: example.com
$ORIGIN example.com.
$TTL 86400
@ IN SOA ns1.example.com. hostmaster.example.com. (
2025062901 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
example.com. 3600 IN NS ns1.dnsp.com.
example.com. 3600 IN NS ns2.dnsp.com.
ns1.dnsp.com. 3600 IN A 192.0.2.1
ns2.dnsp.com. 3600 IN A 192.0.2.2
;child zones
site2.example.com. IN NS ns1.site1.example.com.
site2.example.com. IN NS ns2.site1.example.com.
ns1.site1.example.com. IN A 192.168.0.1
ns2.site1.example.com. IN A 192.168.0.2
Signed Zone File:example.com
example.com. 3600 IN SOA ns1.example.com. hostmaster.example.com. 2025062903 7200 3600 1209600 3600
example.com. 3600 IN RRSIG SOA 13 2 3600 20250713103826 20250629093857 50857 example.com. X/yOKaNg2nSnRKruh6iw/9+v11AiGIGnfMBmM+/hZ51lu2F/yl3MipaRrVY0XzQRmAUvDWhGY0rLYAlEEaNCMw==
example.com. 3600 IN DNSKEY 257 3 13 95MijHgdYxr1CzIuPE+vdPaWxqKPoAaCGod0hzEa0WugTXSgNgk3XUXklMxbRnWOYBUHbWyw5OmVbuufKDsfeg== ;{id = 41231 (ksk), size = 256b}
example.com. 3600 IN DNSKEY 256 3 13 WEFhn+zqcTg9bTIiUWQfFcZ2+1epiGlZopAlQ6U8lvabGV2+TH0QHY113wbE/YrcNIqYqOEp76uxZpAqWzSlQA== ;{id = 50857 (zsk), size = 256b}
example.com. 3600 IN RRSIG DNSKEY 13 2 3600 20250713102836 20250629092913 41231 example.com. DYAMbh+yhjEKwqIWzCJWGuj6zxEzZ0eDjceBZ8owP3sposej0ey78xFIrICUNmBW82xyiDbmH9ho2rCSF9ik3g==
example.com. 0 IN NSEC3PARAM 1 0 5 4d91322a387fea14
example.com. 0 IN RRSIG NSEC3PARAM 13 2 0 20250713102908 20250629092913 50857 example.com. zxNW+KlSKJ5kxdob/krPTB2F0eFX8mJZZUtRU10Oo6U2T9qnLGqnNd3kwJ5iHuQu4PVsQnHTk06rcuUDQ/KLTQ==
example.com. 3600 IN NS ns1.dnsp.com.
example.com. 3600 IN NS ns2.dnsp.com.
example.com. 3600 IN RRSIG NS 13 2 3600 20250713102907 20250629092913 50857 example.com. tcVd5ekK65yOEKjJFJ5o5/EMOXfCB+5Qk04Wp5nIuwdnsMFPrhCLsps0Tr0vK7sUbjIITnukF+6ldYW3JKRPQg==
1ale25q63qf27j2lrhoqm9um0a3u3e6r.example.com. 3600 IN NSEC3 1 1 5 4d91322a387fea14 6khjs8s1km7q7o0kiuo75681umgi1vne NS SOA RRSIG DNSKEY NSEC3PARAM
1ale25q63qf27j2lrhoqm9um0a3u3e6r.example.com. 3600 IN RRSIG NSEC3 13 3 3600 20250713103836 20250629093857 50857 example.com. kQIXRVlVYtnvevX+FXgOB/dSs28sxyxpt3yClLF6ddJX7zcHL71PwECAlQtVciZ84+TeBB0G1ml0DsO3UHbAHQ==
;;Empty non-terminal site1.example.com.
re7jfp9oitl3mdnjo2icnigv84kp0o2k.example.com. 3600 IN NSEC3 1 1 5 4d91322a387fea14 1ale25q63qf27j2lrhoqm9um0a3u3e6r
re7jfp9oitl3mdnjo2icnigv84kp0o2k.example.com. 3600 IN RRSIG NSEC3 13 3 3600 20250713103937 20250629093857 50857 example.com. KwpkOK2LdtB+k1MkVTXT2tpwQHHE8FGamLzHtsU7ySCWZyMGl9xpkOH/Lag2fQq7ccd3E7/bKP2Uwj+jB5Chsw==
ns1.site1.example.com. 86400 IN A 192.168.0.1
ns1.site1.example.com. 86400 IN RRSIG A 13 4 86400 20250713103810 20250629093857 50857 example.com. ifDngOBydUkZo9JdAlL8MhqxyYsrXIo5iRXN5bsPSWrFfo0fMNAC3MdluIRoJad5/WpEB5eVwIq7g20fLd1GVQ==
6khjs8s1km7q7o0kiuo75681umgi1vne.example.com. 3600 IN NSEC3 1 1 5 4d91322a387fea14 9mf6b0gr55bvjvt1r7mjhk74oal4o0gf A RRSIG
6khjs8s1km7q7o0kiuo75681umgi1vne.example.com. 3600 IN RRSIG NSEC3 13 3 3600 20250713103903 20250629093857 50857 example.com. gIAkLHKiIGqPyRZImhY7Eq0oOiyXZQvYHYAEceuBTaSN7WxYtZcdt+JpztJ35tc6dX4eY+rK5CffpGY8hI7y7A==
ns2.site1.example.com. 86400 IN A 192.168.0.2
ns2.site1.example.com. 86400 IN RRSIG A 13 4 86400 20250713103953 20250629093857 50857 example.com. pKiTdWEWLxWi2BlptnVecYhXde+65JzTmtvBbsWx3KFYxLjDKkEEtOejpujDL8mCW5ssEXjnjiqqnZgj7/TGww==
9mf6b0gr55bvjvt1r7mjhk74oal4o0gf.example.com. 3600 IN NSEC3 1 1 5 4d91322a387fea14 re7jfp9oitl3mdnjo2icnigv84kp0o2k A RRSIG
9mf6b0gr55bvjvt1r7mjhk74oal4o0gf.example.com. 3600 IN RRSIG NSEC3 13 3 3600 20250713103915 20250629093857 50857 example.com. BNIl/sn22QWiF4KIsS4+jXLPheV/pVDxAT14Lt29kvnyCkv6DFYJAYLbXZT9RmVHLN4q14CABKu4zCuQ7WUyDg==
site2.example.com. 86400 IN NS ns1.site1.example.com.
site2.example.com. 86400 IN NS ns2.site1.example.com.
Test case 3:
Unsigned zone file: example.com
$ORIGIN example.com.
$TTL 86400
@ IN SOA ns1.example.com. hostmaster.example.com. (
2025062901 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
example.com. 3600 IN NS ns1.dnsp.com.
example.com. 3600 IN NS ns2.dnsp.com.
ns1.dnsp.com. 3600 IN A 192.0.2.1
ns2.dnsp.com. 3600 IN A 192.0.2.2
;child zones
site1.example.com. IN NS ns1.site1.example.com.
site1.example.com. IN NS ns2.site1.example.com.
site2.example.com. IN NS ns1.site1.example.com.
site2.example.com. IN NS ns2.site1.example.com.
ns1.site1.example.com. IN A 192.168.0.1
ns2.site1.example.com. IN A 192.168.0.2
Signed Zone file: example.com
example.com. 3600 IN SOA ns1.example.com. hostmaster.example.com. 2025062904 7200 3600 1209600 3600
example.com. 3600 IN RRSIG SOA 13 2 3600 20250713105836 20250629095744 50857 example.com. TIDrmS7eA9Et/VdX0sCWRN3LO4aT8PymaE4Le4BV8lrBDNc8TaWZEkMAO4ygkpliMNDS/6xlMeDXSYzjHuloVA==
example.com. 3600 IN DNSKEY 257 3 13 95MijHgdYxr1CzIuPE+vdPaWxqKPoAaCGod0hzEa0WugTXSgNgk3XUXklMxbRnWOYBUHbWyw5OmVbuufKDsfeg== ;{id = 41231 (ksk), size = 256b}
example.com. 3600 IN DNSKEY 256 3 13 WEFhn+zqcTg9bTIiUWQfFcZ2+1epiGlZopAlQ6U8lvabGV2+TH0QHY113wbE/YrcNIqYqOEp76uxZpAqWzSlQA== ;{id = 50857 (zsk), size = 256b}
example.com. 3600 IN RRSIG DNSKEY 13 2 3600 20250713102836 20250629092913 41231 example.com. DYAMbh+yhjEKwqIWzCJWGuj6zxEzZ0eDjceBZ8owP3sposej0ey78xFIrICUNmBW82xyiDbmH9ho2rCSF9ik3g==
example.com. 0 IN NSEC3PARAM 1 0 5 4d91322a387fea14
example.com. 0 IN RRSIG NSEC3PARAM 13 2 0 20250713102908 20250629092913 50857 example.com. zxNW+KlSKJ5kxdob/krPTB2F0eFX8mJZZUtRU10Oo6U2T9qnLGqnNd3kwJ5iHuQu4PVsQnHTk06rcuUDQ/KLTQ==
example.com. 3600 IN NS ns1.dnsp.com.
example.com. 3600 IN NS ns2.dnsp.com.
example.com. 3600 IN RRSIG NS 13 2 3600 20250713102907 20250629092913 50857 example.com. tcVd5ekK65yOEKjJFJ5o5/EMOXfCB+5Qk04Wp5nIuwdnsMFPrhCLsps0Tr0vK7sUbjIITnukF+6ldYW3JKRPQg==
1ale25q63qf27j2lrhoqm9um0a3u3e6r.example.com. 3600 IN NSEC3 1 1 5 4d91322a387fea14 1ale25q63qf27j2lrhoqm9um0a3u3e6r NS SOA RRSIG DNSKEY NSEC3PARAM
1ale25q63qf27j2lrhoqm9um0a3u3e6r.example.com. 3600 IN RRSIG NSEC3 13 3 3600 20250713105659 20250629095744 50857 example.com. EeyBPLB1tAvIo0DLt3N+QAQDPMu3T54r0eWfR9DyrwsdTv8TRtAOrcf/JdOlDa85fzBdInZCmJf1UXi/ebXXIw==
site1.example.com. 86400 IN NS ns1.site1.example.com.
site1.example.com. 86400 IN NS ns2.site1.example.com.
ns1.site1.example.com. 86400 IN A 192.168.0.1
ns1.site1.example.com. 86400 IN RRSIG A 13 4 86400 20250713103810 20250629093857 50857 example.com. ifDngOBydUkZo9JdAlL8MhqxyYsrXIo5iRXN5bsPSWrFfo0fMNAC3MdluIRoJad5/WpEB5eVwIq7g20fLd1GVQ==
ns2.site1.example.com. 86400 IN A 192.168.0.2
ns2.site1.example.com. 86400 IN RRSIG A 13 4 86400 20250713103953 20250629093857 50857 example.com. pKiTdWEWLxWi2BlptnVecYhXde+65JzTmtvBbsWx3KFYxLjDKkEEtOejpujDL8mCW5ssEXjnjiqqnZgj7/TGww==
site2.example.com. 86400 IN NS ns1.site1.example.com.
site2.example.com. 86400 IN NS ns2.site1.example.com.
r0ts-dns-ids01:/var/opendnssec/signed# ldns-verify-zone /var/opendnssec/signed/example.com
Error: ns1.site1.example.com. A has signature(s), but is occluded (or glue)
Error: ns2.site1.example.com. A has signature(s), but is occluded (or glue)
There were errors in the zone
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20250630/d4f95bf9/attachment-0001.htm>
More information about the Opendnssec-user
mailing list