Uploaded image for project: 'OpenDNSSEC'
  1. OpenDNSSEC
  2. OPENDNSSEC-890

bogus signatures when original zone has mismatching TTLs

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.4.13, 2.1.0
    • Fix Version/s: 2.1.3, 2.2
    • Component/s: Signer
    • Labels:
      None

      Description

      We noticed this problem in a production zone we don't control, as we were able to replicate.

      For example, by definition an RRset must have the same TTL, but if intentionally this condition is broken, OpenDNSSEC will generate bogus signatures.

      The zone el.geek.nz is live, and contains two records for the NS RRset:

      monospaced
      el.geek.nz. 1800 IN NS puck.nether.net.
      el.geek.nz. 3600 IN NS pri
      monospaced

      When signed, the input is passed unfiltered to the signed zone, and the signatures calculated with TTL=3600, which causes the signatures to fail validation. This can be tested using drill or dig and following the signatures.

      drill -T -k unbound-ta.txt NS el.geek.nz
      
      [T] el.geek.nz. 3600 IN DNSKEY 256 3 8 ;{id = 50211 (zsk), size = 1024b}
      el.geek.nz. 3600 IN DNSKEY 256 3 8 ;{id = 37464 (zsk), size = 1024b}
      el.geek.nz. 3600 IN DNSKEY 257 3 8 ;{id = 31760 (ksk), size = 1280b}
      [B] el.geek.nz.	1800	IN	NS	puck.nether.net.
      el.geek.nz.	1800	IN	NS	pri.el.geek.nz.
      ;; Error: Bogus DNSSEC signature
      ;;[S] self sig OK; [B] bogus; [T] trusted
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              yuri Yuri Schaeffer
              Reporter:
              berry Berry van Halderen
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: