[OPENDNSSEC-890] bogus signatures when original zone has mismatching TTLs - OpenDNSSEC

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 1.4.13, 2.1.0
Fix Version/s: 2.1.3, 2.3
Component/s: Signer
Labels:
None

Description

We noticed this problem in a production zone we don't control, as we were able to replicate.

For example, by definition an RRset must have the same TTL, but if intentionally this condition is broken, OpenDNSSEC will generate bogus signatures.

The zone el.geek.nz is live, and contains two records for the NS RRset:

monospaced
el.geek.nz. 1800 IN NS puck.nether.net.
el.geek.nz. 3600 IN NS pri
monospaced

When signed, the input is passed unfiltered to the signed zone, and the signatures calculated with TTL=3600, which causes the signatures to fail validation. This can be tested using drill or dig and following the signatures.

drill -T -k unbound-ta.txt NS el.geek.nz

[T] el.geek.nz. 3600 IN DNSKEY 256 3 8 ;{id = 50211 (zsk), size = 1024b}
el.geek.nz. 3600 IN DNSKEY 256 3 8 ;{id = 37464 (zsk), size = 1024b}
el.geek.nz. 3600 IN DNSKEY 257 3 8 ;{id = 31760 (ksk), size = 1280b}
[B] el.geek.nz.	1800	IN	NS	puck.nether.net.
el.geek.nz.	1800	IN	NS	pri.el.geek.nz.
;; Error: Bogus DNSSEC signature
;;[S] self sig OK; [B] bogus; [T] trusted

Attachments

Issue Links

clones

SUPPORT-192 OpenDNSSEC generates bogus signatures when original zone has mismatching TTLs

Resolved

is duplicated by

SUPPORT-219 ODS "adjusting" TTL where it should not

Open

Activity

People

Assignee:: Yuri Schaeffer

Reporter:: Berry van Halderen

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2017-04-28 08:41

Updated:: 2017-10-16 11:59

Resolved:: 2017-10-16 11:59