[Opendnssec-user] How to report a critical issue against OpenDNSSEC?
Stephane Bortzmeyer
bortzmeyer at nic.fr
Sat Nov 8 15:23:27 UTC 2025
On Thu, Nov 06, 2025 at 09:43:19AM +0000,
Stephane Bortzmeyer via Opendnssec-user <opendnssec-user at lists.opendnssec.org> wrote
a message of 102 lines which said:
> Here is the issue, which I believe very serious:
>
> When I use the syntax for unknown types (RFC 3597) (here,
> /var/lib/opendnssec/unsigned/bortzmeyer.fr):
>
> @ IN TYPE262 \# 39 03425443 223148744E4A365A465563397975397532714177423474476447775051617351476178
The bug seems to be in the signing software, ldns, I believe. Anyway, ldns clearly has the bug:
1)
ldns-keygen -a ED25519 example.org
2)
Create a zone file with the above key and the line @ IN TYPE262 \# 39 03425443 223148744E4A365A465563397975397532714177423474476447775051617351476178
3)
ldns-signzone -o example.org example.org.zone Kexample.org.+015+$KEYID
You will observe in example.org.zone.signed that the WALLET RR was translated to TXT (!!!) and the signatures are broken:
% dnssec-verify -o example.org -z example.org.zone.signed
Loading zone 'example.org' from file 'example.org.zone.signed'
Verifying the zone using the following algorithms:
- ED25519
No correct ED25519 signature for example.org TXT
No correct ED25519 signature for example.org NSEC
The zone is not fully signed for the following algorithms:
ED25519
More information about the Opendnssec-user
mailing list