Uploaded image for project: 'OpenDNSSEC'
  1. OpenDNSSEC
  2. OPENDNSSEC-284

DNSKEY import adds or drops bits at the end

    XMLWordPrintable

    Details

    • Type: Story
    • Status: Closed
    • Priority: Critical
    • Resolution: Won't Fix
    • Affects Version/s: 1.1.3
    • Fix Version/s: None
    • Component/s: Signer
    • Labels:
    • Environment:

      RedHat Linux 5.8 Tikanga

      Description

      We are doing a rollover from OpenDNSSEC 1.1.3 to OpenDNSSEC 1.3.9, and are changing HSMs at the same time. To do this, we import DNSKEY records back and forth. We are working towards a publication of this procedure.

      Importing DNSKEY records into the unsigned zones of OpenDNSSEC 1.1.3 led to a problem, where the ending of the DNSKEY record got altered (bits added or removed) by the signer.

      We worked around in our/one case by adding extra ==== padding characters at the end of the base64 fragment.

      Possibly related, but maybe a separate bug: we got added bits to a DNSKEY, which was remedied by removing the comment after the key material.

      We are not able to test any resolution for this bug, as it occurred on our live signer setup. We may be able to do this later, after our migration has been completed.

      surfnt.org. 3600 IN DNSKEY 256 3 8 AwEAAcA0elmYGUTIsBBh6i/ANWUIjzHF0AvzPAqCM6XYmtxHWYBZB0OzlP4vT/UZugZQxenABTS0EpswDFxG0r1NrZGeIm8s3WvjD1HT0aPEiVFzhrEmvEXlyQoG7rS484+2RZJrDUpw18NFuoFmkPGLJpr6s/6O73yV/HPvWr05qw9J ;

      {id = 2424 (zsk), size = 1024b}

      surfnt.org. 3600 IN DNSKEY 256 3 8 AwEAAc2yPFJ6GceCjz4s1HToGzi273O/4zBE6Blbl4WSbIo481vSyBy8KGubLQKH1cY7cLzjO8cX660NB4wxisz2J1UFQYcu+JlC5TfX3d0DCoNsJHIoYx1jmFTmnil43qyMtO0GeHUsM3UVRS4QQevIbIQsQtVEdMt+lLH6aIWt8n2p ;

      {id = 13839 (zsk), size = 1024b}

      surfnt.org. 3600 IN DNSKEY 257 3 8 AwEAAecB//UmGVSaQTsOfeyu120FWUGOhkYgB3jX5I4qTr4Gb8N1h53+nbbKYEyXryyveQvuxOT5/vN6sIE8iBYkP3L9dfE/3PwkAaLqqu4WAhtEpkbavrcemUpXtRExAuqQxCRI3zWoeqFDWiEP/zHXMhQ4wBAwV9OHNfmLSRR1sZDQXGN924ABfTJQjbEBg1gSFISet3MC/CaH/QPHY8KiqhyqhASaB8dt3HVsslubQet+Ihxg++u3VCtUyZld8gMNXkPKas/e3JQe0JII/s4OkcBQAFW277RPjuI2BMtObKXHlLrNTIpAESZwZJjXC+LXbyG+b4bhz3hqgFYlfC+yxNk= ;

      {id = 9274 (ksk), size = 2048b}

      surfnt.org. 3600 IN DNSKEY 257 3 8 AwEAAfWNWLCrI5ddf/JnEO+iUHF/Vn1Z3p2JSLJU+0TXlVsu5SYm64eKdvpLBeGcM32dqtRwDFlkSHjE3JJsa/PqoRMQMSeQxTgmeeIxUrhH7G4eeORCv+XESlG6KSqErGNkceWu8IVvgRh26kPMLJVSIxydK11dbqWVtWsOxPZuMubWZOIa/Dp/19P5NGkk2onn3K0Yn/7rPiKeF0mO4n5jZEjFzvWq2qyRwENS3O2XIF6pmdYCQxvCKYmR8j0sreuPhEEJiR4Qp2StOXhaEQHYdikIsCNU5gTxNVWWlVRV5Wdz/VyOcLKbMZP6o0783aWVisbPEyimQzjcIF+2NmV5wNc= ;

      {id = 34982 (ksk), size = 2048b}

        Attachments

          Activity

            People

            Assignee:
            matthijs Matthijs Mekking
            Reporter:
            vanrein Rick van Rein
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: