[Opendnssec-user] How to report a critical issue against OpenDNSSEC?

Stephane Bortzmeyer bortzmeyer at nic.fr
Thu Nov 6 09:43:19 UTC 2025 

In the context of OpenDNSEC end-of-life, I see that reporting issues
on the Github repository is now disabled. Still, critical and security
bugs can be fixed but how to report them?

Here is the issue, which I believe very serious:

When I use the syntax for unknown types (RFC 3597) (here,
/var/lib/opendnssec/unsigned/bortzmeyer.fr):

@ IN    TYPE262 \# 39 03425443 223148744E4A365A465563397975397532714177423474476447775051617351476178                                         

(Type 262, WALLET, is officially registered at IANA but, when I
started using it, it was not known by most software.)

Then OpenDNSSEC signer translates it to TXT (!!!) (here,
/var/lib/opendnssec/signed/bortzmeyer.fr):

bortzmeyer.fr.  86400   IN      TXT     "BTC" "1HtNJ6ZFUc9yu9u2qAwB4tGdGwPQasQGax"

As a result, there are two RRSIG for the TXT RRset, at least one being
invalid (since it was done for another RR type):

bortzmeyer.fr.  86400   IN      TXT     "v=spf1 mx -all"
bortzmeyer.fr.  86400   IN      TXT     "DNS is innocent"
bortzmeyer.fr.  86400   IN      RRSIG   TXT 13 2 86400 20251113215344 20251030142433 32088 bortzmeyer.fr. bWAlKMSQPDALOeEmwwfh47qGjloBK3YRH3r\
GydVJBis4lFIsIsE09bkqviBiGyjNqpS/loFaiMS4FRIeh06jwg==
bortzmeyer.fr.  86400   IN      TXT     "BTC" "1HtNJ6ZFUc9yu9u2qAwB4tGdGwPQasQGax"
bortzmeyer.fr.  86400   IN      RRSIG   TXT 13 2 86400 20251113173453 20251030142433 32088 bortzmeyer.fr. J1arZUBP+G5nc54zetyD45rqDyURJeZyFjR\
RkixQrPokBPxNkyt1RHzdH78a0rM93Zzu0q+N/zzxMQScl0KVHw== 

The result is of course SERVFAIL. It also broke the NSEC3 chain.

% dig bortzmeyer.fr TXT    

; <<>> DiG 9.20.15-1~deb13u1-Debian <<>> bortzmeyer.fr TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28082
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; EDE: 6 (DNSSEC Bogus)
;; QUESTION SECTION:
;bortzmeyer.fr.		IN TXT

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Nov 06 08:17:48 UTC 2025
;; MSG SIZE  rcvd: 48

% dig +cd bortzmeyer.fr TXT

; <<>> DiG 9.20.15-1~deb13u1-Debian <<>> +cd bortzmeyer.fr TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44332
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; EDE: 6 (DNSSEC Bogus)
;; QUESTION SECTION:
;bortzmeyer.fr.		IN TXT

;; ANSWER SECTION:
bortzmeyer.fr.		45 IN TXT "DNS is innocent"
bortzmeyer.fr.		45 IN TXT "v=spf1 mx -all"
bortzmeyer.fr.		45 IN TXT "BTC" "1HtNJ6ZFUc9yu9u2qAwB4tGdGwPQasQGax"
bortzmeyer.fr.		45 IN RRSIG TXT 13 2 86400 (
				20251113173453 20251030142433 32088 bortzmeyer.fr.
				J1arZUBP+G5nc54zetyD45rqDyURJeZyFjRRkixQrPok
				BPxNkyt1RHzdH78a0rM93Zzu0q+N/zzxMQScl0KVHw== )
bortzmeyer.fr.		45 IN RRSIG TXT 13 2 86400 (
				20251113215344 20251030142433 32088 bortzmeyer.fr.
				bWAlKMSQPDALOeEmwwfh47qGjloBK3YRH3rGydVJBis4
				lFIsIsE09bkqviBiGyjNqpS/loFaiMS4FRIeh06jwg== )

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Nov 06 08:17:51 UTC 2025
;; MSG SIZE  rcvd: 372

Removing the TYPE262 line and re-signing solved the problem.

What is specially strange is that the record TYPE262 is here for more
than a year (I talked about it in
<https://www.bortzmeyer.org/wallet-rrtype.html>) and there was no
problem before.

OpenDNSSEC 2.1.12 on Debian stable ("trixie")

DNSviz report during the problem:
https://dnsviz.net/d/bortzmeyer.fr/aQxZMw/dnssec/ (12 days before,
with the exact same unsigned file, there was no problem <https://dnsviz.net/d/bortzmeyer.fr/aPzRoQ/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&tk=>)

Zonemaster report during the problem: https://zonemaster.fr/en/result/9cfd17edf8bba706

More information about the Opendnssec-user mailing list