-
Type:
Bug
-
Status: Resolved
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: OpenDNSSEC 1.4.3
-
Fix Version/s: None
-
Component/s: Signer
-
Labels:None
We noticed this problem in a production zone we don't control, as we were able to replicate.
For example, by definition an RRset must have the same TTL, but if intentionally this condition is broken, OpenDNSSEC will generate bogus signatures.
The zone el.geek.nz is live, and contains two records for the NS RRset:
monospaced
el.geek.nz. 1800 IN NS puck.nether.net.
el.geek.nz. 3600 IN NS pri
monospaced
When signed, the input is passed unfiltered to the signed zone, and the signatures calculated with TTL=3600, which causes the signatures to fail validation. This can be tested using drill or dig and following the signatures.
drill -T -k unbound-ta.txt NS el.geek.nz
[T] el.geek.nz. 3600 IN DNSKEY 256 3 8 ;{id = 50211 (zsk), size = 1024b}
el.geek.nz. 3600 IN DNSKEY 256 3 8 ;{id = 37464 (zsk), size = 1024b}
el.geek.nz. 3600 IN DNSKEY 257 3 8 ;{id = 31760 (ksk), size = 1280b}
[B] el.geek.nz. 1800 IN NS puck.nether.net.
el.geek.nz. 1800 IN NS pri.el.geek.nz.
;; Error: Bogus DNSSEC signature
;;[S] self sig OK; [B] bogus; [T] trusted
- is cloned by
-
-
- Resolved
-