-
Type: Bug
-
Status: Open
-
Priority: Minor
-
Resolution: Unresolved
-
Affects Version/s: 2.1.8
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
-
Environment:
Rocky Linux 9
#uname -a
Linux localhost.localdomain 5.14.0-162.6.1.el9_1.aarch64 #1 SMP PREEMPT_DYNAMIC Tue Nov 15 20:52:32 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux
Name : opendnssec
Version : 2.1.8
Release : 4.el9
Architecture : aarch64
Size : 1.5 M
Source : opendnssec-2.1.8-4.el9.src.rpm
Repository : @System
From repo : appstreamName : softhsm
Version : 2.6.1
Release : 7.el9.2
Architecture : aarch64
Size : 1.6 M
Source : softhsm-2.6.1-7.el9.2.src.rpm
Repository : @System
From repo : appstreamRocky Linux 9 #uname -a Linux localhost.localdomain 5.14.0-162.6.1.el9_1.aarch64 #1 SMP PREEMPT_DYNAMIC Tue Nov 15 20:52:32 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux Name : opendnssec Version : 2.1.8 Release : 4.el9 Architecture : aarch64 Size : 1.5 M Source : opendnssec-2.1.8-4.el9.src.rpm Repository : @System From repo : appstream Name : softhsm Version : 2.6.1 Release : 7.el9.2 Architecture : aarch64 Size : 1.6 M Source : softhsm-2.6.1-7.el9.2.src.rpm Repository : @System From repo : appstream
Hello,
We have installed the native version OpenDNSSEC and SoftHSM on a Rocky Linux 9 instance, with SELinux disabled.
.. using the default policy and valid zone file.
The zone configs are sync'd with the database (sqlite), and keys (KSK,ZSK) are generated as expected.
foobar.com KSK publish 2023-05-25 07:15:11 2048 8 8c98b7f899c4340ef2deb0dc8b96cefc SoftHSM_KSK 53945
foobar.com ZSK ready 2023-05-25 07:15:11 2048 8 d90b49960bfb7e09114b959c30cc0ffb SoftHSM_ZSK 19603
..the zone is signed and looks syntactically fine and can load to DNS server (without DNSSEC).
But the signature are BOGUS,
-ldns-verify-zone output-
- ldns-verify-zone foobar.com
Error: Bogus DNSSEC signature for foobar.com. A
Error: Bogus DNSSEC signature for foobar.com. NS
Error: Bogus DNSSEC signature for foobar.com. SOA
Error: Bogus DNSSEC signature for foobar.com. MX
Error: Bogus DNSSEC signature for foobar.com. TXT
Error: Bogus DNSSEC signature for foobar.com. NSEC3PARAM
Error: Bogus DNSSEC signature for 6nosh514isuceiui5lrc2odu2ntnrs02.foobar.com. NSEC3
Error: Bogus DNSSEC signature for token.foobar.com. A
Error: Bogus DNSSEC signature for imvanqkk8cm5v6ngs66t1slu3nsnh25v.foobar.com. NSEC3
Error: Bogus DNSSEC signature for token1.foobar.com. CNAME
Error: Bogus DNSSEC signature for 5m3ei39ojpln910haciimljq9pl6tkrn.foobar.com. NSEC3
Error: Bogus DNSSEC signature for www.foobar.com. A
Error: Bogus DNSSEC signature for u64csv00lotgbg3d1v5u3b9fb1e5q0t5.foobar.com. NSEC3
There were errors in the zone
– drill output –
# drill @localhost NS -S foobar.com
;; Chasing: foobar.com. NS
Warning: No trusted keys specified
DNSSEC Trust tree:
foobar.com. (NS)
|---Bogus DNSSEC signature:
foobar.com. 86400 IN RRSIG NS 8 2 86400 20230607140305 20230524122235 19603 foobar.com. F4Qhc5PaJC/9AlheV49aF9rxVEKGcCUF7E+T0bIZURd1/ZON0eKSZlHCoD83Wjk2/XuAPyw1f+EGfX8PZCx8QhDs5odtD1uyhA9pNL4KLvZ/KSSu7Wsfv25LikIt/0BeGNtDK2vUk42uAIqhp6jBzuWCAZ0y38vYoOUxuedoyTcXjEnh6cZAnzhfn5XezW1ScaURMcY2RQq1WssDX1vipNXfZPFA0eurU/A+RuIZ8opbVNy8lKrj+eKvA7WpbY5B8mo5xJrsQVodzznhP7VyCr5m2CNyqu/leJoHGHhJO8GcBWIb6EPAMa+GNE5spYNuYzt10/eSs53G/7KcoPD4IQ==
For RRset:
foobar.com. 86400 IN NS ns1.internet.gov.sa.
foobar.com. 86400 IN NS ns2.internet.gov.sa.
With key:
foobar.com. 3600 IN DNSKEY 256 3 8 AwEAAaa9PCBj7nFHM9jOqHxbOKSQTOehiKknRqlONN5qS1rbddDMG/G+FQ1nP3kP76wrU7+2tSegAShrZEPNEQiRSGpRaJmyFkfZB8EtqL+YqqrNFcaiMzwPnd91FNLZzqvqhiO0U5E/ghiDIthMuuh/uRmcLlbsaAtTsoTnhvX3pHxU4qbYuZUKCQtuy7s/ezm2XojU9abffVLv/OydqzXNstgGGlXDSpxAkMKiN5jlFGjetm59A0GnoHbxEbRM/2w0EXNWR6O9reLNVYvub93v6Sv7dVGW/iJsUXyf96WLlvhsDL5TrhUJV6HU/Ib3JcSiDi79+XMLUKTDXDsX3jWrTL0= ;{id = 19603 (zsk), size = 2048b}
|---foobar.com. (DNSKEY keytag: 19603 alg: 8 flags: 256)
|---Bogus DNSSEC signature:
foobar.com. 3600 IN RRSIG DNSKEY 8 2 3600 20230607205359 20230524122235 53945 foobar.com. aHkl/Vi8aodVNy5KQxldSjfDZ5m5PUy7OY4kShSX4op3Rfe9qAKB7+5LKhvqK0B0XsKBRsM9cUMuJiKB+5eJi7k4UT2NQXJMPo3fxMFbyZFQo9oe3US8FVtenpL8baC38EdFgZ8b4h5PH4oQXXkAcQp/etE92yAk8p1wv9Nqg1FWPLoRXOEsKHZwkDc+cpqKxPP8k9T3lc16BTI+F/gTDflhHcPLYX59sy7VNS9ylLdwoz2lTWqnt96Wz0xXTS+iExWwO5EdSApnBQkwdeGefmK9VdnIzPI32kbQZ6oSVLJzFSNivOnAHdPsLkrK68cw23bMSp76J/SswmKSg1F4zw==
-end-
..with dnssec-verify
# dnssec-verify -x -v 5 -o foobar.com /var/opendnssec/signed/foobar.com
Loading zone 'foobar.com' from file '/var/opendnssec/signed/foobar.com'
No self-signed KSK DNSKEY found
dnssec-verify: debug 1: calling free_rbtdb(foobar.com)
dnssec-verify: debug 1: done free_rbtdb(foobar.com)
We have tried with build version of OpenDNSSEC-2.1.12 and SoftHSM-2.6.1 on Redhat 9, the same issue happens there. Also, tried with different key algorithms and TTLs, does not help.
Appreciate your support.