-
Type:
Bug
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: 2.1.8
-
Fix Version/s: None
-
Component/s: Enforcer
-
Labels:None
-
Environment:
[root@xxxxxx ~]# cat /etc/os-release
NAME="AlmaLinux"
VERSION="9.2 (Turquoise Kodkod)"
ID="almalinux"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="AlmaLinux 9.2 (Turquoise Kodkod)"
ANSI_COLOR="0;34"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos"
HOME_URL="https://almalinux.org/"
DOCUMENTATION_URL="https://wiki.almalinux.org/"
BUG_REPORT_URL="https://bugs.almalinux.org/"ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9"
ALMALINUX_MANTISBT_PROJECT_VERSION="9.2"
REDHAT_SUPPORT_PRODUCT="AlmaLinux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.2"[root@xxxxxx ~]# yum info opendnssec
ARNES Internal YUM repository 23 kB/s | 1.4 kB 00:00
ARNES Internal noarch YUM repository 22 kB/s | 1.4 kB 00:00
Installed Packages
Name : opendnssec
Version : 2.1.8
Release : 4.el9
Architecture : x86_64
Size : 1.4 M
Source : opendnssec-2.1.8-4.el9.src.rpm
Repository : @System
From repo : appstream
Summary : DNSSEC key and zone management software
URL : http://www.opendnssec.org/
License : BSD
Description : OpenDNSSEC was created as an open-source turn-key solution for DNSSEC.
: It secures zone data just before it is published in an authoritative
: name server. It requires a PKCS#11 crypto module library, such as softhsm[root@xxxxxx ~]# yum info bind-dnssec-utils
Last metadata expiration check: 0:00:34 ago on Thu 26 Oct 2023 01:04:16 PM CEST.
Installed Packages
Name : bind-dnssec-utils
Epoch : 32
Version : 9.16.23
Release : 11.el9_2.2
Architecture : x86_64
Size : 419 k
Source : bind-9.16.23-11.el9_2.2.src.rpm
Repository : @System
From repo : appstream
Summary : DNSSEC keys and zones management utilities
URL : https://www.isc.org/downloads/bind/
License : MPLv2.0
Description : Bind-dnssec-utils contains a collection of utilities for editing
: DNSSEC keys and BIND zone files. These tools provide generation,
: revocation and verification of keys and DNSSEC signatures in zone files.
:
: You should install bind-dnssec-utils if you need to sign a DNS zone
: or maintain keys for it.[root@xxxxxx ~] # cat /etc/os-release NAME="AlmaLinux" VERSION="9.2 (Turquoise Kodkod)" ID="almalinux" ID_LIKE="rhel centos fedora" VERSION_ID="9.2" PLATFORM_ID="platform:el9" PRETTY_NAME="AlmaLinux 9.2 (Turquoise Kodkod)" ANSI_COLOR="0;34" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos" HOME_URL="https://almalinux.org/" DOCUMENTATION_URL="https://wiki.almalinux.org/" BUG_REPORT_URL="https://bugs.almalinux.org/" ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9" ALMALINUX_MANTISBT_PROJECT_VERSION="9.2" REDHAT_SUPPORT_PRODUCT="AlmaLinux" REDHAT_SUPPORT_PRODUCT_VERSION="9.2" [root@xxxxxx ~] # yum info opendnssec ARNES Internal YUM repository 23 kB/s | 1.4 kB 00:00 ARNES Internal noarch YUM repository 22 kB/s | 1.4 kB 00:00 Installed Packages Name : opendnssec Version : 2.1.8 Release : 4.el9 Architecture : x86_64 Size : 1.4 M Source : opendnssec-2.1.8-4.el9.src.rpm Repository : @System From repo : appstream Summary : DNSSEC key and zone management software URL : http://www.opendnssec.org/ License : BSD Description : OpenDNSSEC was created as an open-source turn-key solution for DNSSEC. : It secures zone data just before it is published in an authoritative : name server. It requires a PKCS#11 crypto module library, such as softhsm [root@xxxxxx ~] # yum info bind-dnssec-utils Last metadata expiration check: 0:00:34 ago on Thu 26 Oct 2023 01:04:16 PM CEST. Installed Packages Name : bind-dnssec-utils Epoch : 32 Version : 9.16.23 Release : 11.el9_2.2 Architecture : x86_64 Size : 419 k Source : bind-9.16.23-11.el9_2.2.src.rpm Repository : @System From repo : appstream Summary : DNSSEC keys and zones management utilities URL : https://www.isc.org/downloads/bind/ License : MPLv2.0 Description : Bind-dnssec-utils contains a collection of utilities for editing : DNSSEC keys and BIND zone files. These tools provide generation, : revocation and verification of keys and DNSSEC signatures in zone files. : : You should install bind-dnssec-utils if you need to sign a DNS zone : or maintain keys for it.
Generated DS hash (with opendnssec) is wrong (domain with opendnssec generated DS hash fails validation). Domain with DS generated by bind can be successfully validated (used dnsviz.net). For short illustration, below different DS's hashes (opendnssec/bind tool) can be seen:
[root@xxxxxx ~]# ods-enforcer zone add --zone test1234.si --policy EC_NSEC_SoftHSMinput is set to /var/opendnssec/unsigned/test1234.si. output is set to /var/opendnssec/signed/test1234.si. Zone test1234.si added successfully [root@xxxxxx ~]# ods-enforcer key list -vKeys:Zone: Keytype: State: Date of next transition: Size: Algorithm: CKA_ID: Repository: KeyTag:test1234.si KSK publish 2023-10-27 02:56:50 4096 13 d6f211d4ff2363bc540881441f71d10c SoftHSM 50706test1234.si ZSK ready 2023-10-27 02:56:50 4096 13 209569ef680aacd2c9eca9c99e1702e9 SoftHSM 2839 [root@xxxxxx ~]# ods-enforcer key export --keystate publish --keytype KSK --zone test1234.sitest1234.si. 3600 IN DNSKEY 257 3 13 VtW3wv6GauZXSJPtgQStii8C+ETalMPy9JJsMPJwcHhropu9+pMfveJr7MaC45SfiFUgOM9g/yu60wykhx/YpQ== [root@xxxxxx ~]# ods-enforcer key export --keystate publish --keytype KSK --zone test1234.si > Ktest1234.si.key[root@xxxxxx ~]# ods-enforcer key export --keystate publish --keytype KSK --zone test1234.si --ds;publish KSK DS record (SHA256):test1234.si. 3600 IN DS 50706 13 2 8fdac70eee3a63eb88f1d86fea4fc47f5ef7ed646ecda6ded741f857b862fd8b [root@xxxxxx ~]# ods-enforcer key export --keystate publish --keytype KSK --zone test1234.si --ds;publish KSK DS record (SHA256):test1234.si. 3600 IN DS 50706 13 2 8fdac70eee3a63eb88f1d86fea4fc47f5ef7ed646ecda6ded741f857b862fd8b [root@xxxxxx ~]# dnssec-dsfromkey Ktest1234.si.key test1234.si. IN DS 50706 13 2 83D4E968ADB95A71117E978604491291D7649FB89B097750735872E2B62BC1B8