[SUPPORT-283] OpenDNSSEC Bogus Signature, Redhat 9 native packages - OpenDNSSEC

Details

Type: Bug
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: 2.1.8
Fix Version/s: None
Component/s: None
Labels:
None
Environment:

Hide

Rocky Linux 9

^{#uname -a}

^{Linux localhost.localdomain 5.14.0-162.6.1.el9_1.aarch64 #1 SMP PREEMPT_DYNAMIC Tue Nov 15 20:52:32 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux}

Name : opendnssec
Version : 2.1.8
Release : 4.el9
Architecture : aarch64
Size : 1.5 M
Source : opendnssec-2.1.8-4.el9.src.rpm
Repository : @System
From repo : appstream

Name : softhsm
Version : 2.6.1
Release : 7.el9.2
Architecture : aarch64
Size : 1.6 M
Source : softhsm-2.6.1-7.el9.2.src.rpm
Repository : @System
From repo : appstream

Show
Rocky Linux 9 #uname -a Linux localhost.localdomain 5.14.0-162.6.1.el9_1.aarch64 #1 SMP PREEMPT_DYNAMIC Tue Nov 15 20:52:32 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux Name : opendnssec Version : 2.1.8 Release : 4.el9 Architecture : aarch64 Size : 1.5 M Source : opendnssec-2.1.8-4.el9.src.rpm Repository : @System From repo : appstream Name : softhsm Version : 2.6.1 Release : 7.el9.2 Architecture : aarch64 Size : 1.6 M Source : softhsm-2.6.1-7.el9.2.src.rpm Repository : @System From repo : appstream

Description

Hello,

We have installed the native version OpenDNSSEC and SoftHSM on a Rocky Linux 9 instance, with SELinux disabled.

.. using the default policy and valid zone file.

The zone configs are sync'd with the database (sqlite), and keys (KSK,ZSK) are generated as expected.

^{foobar.com KSK publish 2023-05-25 07:15:11 2048 8 8c98b7f899c4340ef2deb0dc8b96cefc SoftHSM_KSK 53945}
^{foobar.com ZSK ready 2023-05-25 07:15:11 2048 8 d90b49960bfb7e09114b959c30cc0ffb SoftHSM_ZSK 19603}

..the zone is signed and looks syntactically fine and can load to DNS server (without DNSSEC).

But the signature are BOGUS,

-~~ldns-verify-zone output~~-

ldns-verify-zone foobar.com
^{_{Error: Bogus DNSSEC signature for foobar.com. A}}
^{_{Error: Bogus DNSSEC signature for foobar.com. NS}}
^{_{Error: Bogus DNSSEC signature for foobar.com. SOA}}
^{_{Error: Bogus DNSSEC signature for foobar.com. MX}}
^{_{Error: Bogus DNSSEC signature for foobar.com. TXT}}
^{_{Error: Bogus DNSSEC signature for foobar.com. NSEC3PARAM}}
^{_{Error: Bogus DNSSEC signature for 6nosh514isuceiui5lrc2odu2ntnrs02.foobar.com. NSEC3}}
^{_{Error: Bogus DNSSEC signature for token.foobar.com. A}}
^{_{Error: Bogus DNSSEC signature for imvanqkk8cm5v6ngs66t1slu3nsnh25v.foobar.com. NSEC3}}
^{_{Error: Bogus DNSSEC signature for token1.foobar.com. CNAME}}
^{_{Error: Bogus DNSSEC signature for 5m3ei39ojpln910haciimljq9pl6tkrn.foobar.com. NSEC3}}
^{_{Error: Bogus DNSSEC signature for www.foobar.com. A}}
^{_{Error: Bogus DNSSEC signature for u64csv00lotgbg3d1v5u3b9fb1e5q0t5.foobar.com. NSEC3}}
There were errors in the zone

– drill output –

^{# drill @localhost NS -S foobar.com}
^{;; Chasing: foobar.com. NS}
^{Warning: No trusted keys specified}

^{DNSSEC Trust tree:}
^{foobar.com. (NS)}
^{|---Bogus DNSSEC signature:}
^{foobar.com. 86400 IN RRSIG NS 8 2 86400 20230607140305 20230524122235 19603 foobar.com. F4Qhc5PaJC/9AlheV49aF9rxVEKGcCUF7E+T0bIZURd1/ZON0eKSZlHCoD83Wjk2/XuAPyw1f+EGfX8PZCx8QhDs5odtD1uyhA9pNL4KLvZ/KSSu7Wsfv25LikIt/0BeGNtDK2vUk42uAIqhp6jBzuWCAZ0y38vYoOUxuedoyTcXjEnh6cZAnzhfn5XezW1ScaURMcY2RQq1WssDX1vipNXfZPFA0eurU/A+RuIZ8opbVNy8lKrj+eKvA7WpbY5B8mo5xJrsQVodzznhP7VyCr5m2CNyqu/leJoHGHhJO8GcBWIb6EPAMa+GNE5spYNuYzt10/eSs53G/7KcoPD4IQ==}
^{For RRset:}
^{foobar.com. 86400 IN NS ns1.internet.gov.sa.}
^{foobar.com. 86400 IN NS ns2.internet.gov.sa.}
^{With key:}
^{foobar.com. 3600 IN DNSKEY 256 3 8 AwEAAaa9PCBj7nFHM9jOqHxbOKSQTOehiKknRqlONN5qS1rbddDMG/G+FQ1nP3kP76wrU7+2tSegAShrZEPNEQiRSGpRaJmyFkfZB8EtqL+YqqrNFcaiMzwPnd91FNLZzqvqhiO0U5E/ghiDIthMuuh/uRmcLlbsaAtTsoTnhvX3pHxU4qbYuZUKCQtuy7s/ezm2XojU9abffVLv/OydqzXNstgGGlXDSpxAkMKiN5jlFGjetm59A0GnoHbxEbRM/2w0EXNWR6O9reLNVYvub93v6Sv7dVGW/iJsUXyf96WLlvhsDL5TrhUJV6HU/Ib3JcSiDi79+XMLUKTDXDsX3jWrTL0= ;{id = 19603 (zsk), size = 2048b}}
^{|---foobar.com. (DNSKEY keytag: 19603 alg: 8 flags: 256)}
^{|---Bogus DNSSEC signature:}
^{foobar.com. 3600 IN RRSIG DNSKEY 8 2 3600 20230607205359 20230524122235 53945 foobar.com. aHkl/Vi8aodVNy5KQxldSjfDZ5m5PUy7OY4kShSX4op3Rfe9qAKB7+5LKhvqK0B0XsKBRsM9cUMuJiKB+5eJi7k4UT2NQXJMPo3fxMFbyZFQo9oe3US8FVtenpL8baC38EdFgZ8b4h5PH4oQXXkAcQp/etE92yAk8p1wv9Nqg1FWPLoRXOEsKHZwkDc+cpqKxPP8k9T3lc16BTI+F/gTDflhHcPLYX59sy7VNS9ylLdwoz2lTWqnt96Wz0xXTS+iExWwO5EdSApnBQkwdeGefmK9VdnIzPI32kbQZ6oSVLJzFSNivOnAHdPsLkrK68cw23bMSp76J/SswmKSg1F4zw==}

-~~end~~-

..with dnssec-verify

^{# dnssec-verify -x -v 5 -o foobar.com /var/opendnssec/signed/foobar.com}
^{Loading zone 'foobar.com' from file '/var/opendnssec/signed/foobar.com'}

^{No self-signed KSK DNSKEY found}
^{dnssec-verify: debug 1: calling free_rbtdb(foobar.com)}
^{dnssec-verify: debug 1: done free_rbtdb(foobar.com)}

We have tried with build version of OpenDNSSEC-2.1.12 and SoftHSM-2.6.1 on Redhat 9, the same issue happens there. Also, tried with different key algorithms and TTLs, does not help.

Appreciate your support.

OpenDNSSEC Bogus Signature, Redhat 9 native packages

Details

Description

Attachments

Activity

People

Dates