dnssec-signzone: error when NSEC3PARAM record exists

Bug #1842939 reported by TJ
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)

Bug Description

On 18.04 with bind9/bionic-updates,bionic-proposed,now 1:9.11.3+dfsg-1ubuntu1.9

This prevents Certbot Let's Encrypt validation and therefore certificate issuance when the zone is configured to use NSEC3.

NSEC3 is valuable in preventing DNSSEC NSEC zone walking to discover all RR records in the zone.

Where a zone file has DNSSEC enabled and an NSEC3PARAM record is added to the already-signed zone file:

example.com. IN NSEC3PARAM ( 1 0 10 16 0d95646237ae38bc )

an attempt to re-sign the zone file fails with:

dnssec-signzone -o example.com example.com.hosts
dnssec-signzone: error: dns_rdata_fromtext: example.com.hosts:165: near '0d95646237ae38bc': extra input text
dnssec-signzone: fatal: failed loading zone from 'example.com.hosts': extra input text

This seems related to upstream report "Problems signing a zone that already contains an NSEC3PARAM"


TJ (tj)
description: updated
Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

It looks like the upstream bug has been acknowledged, so I'm marking the Ubuntu task as Triaged. However, it doesn't look like we can do anything in Ubuntu until there is a resolution upstream.

As it appears this is not a regression, I'm marking it as Importance: Medium since I don't think this configuration is common enough to mark it as High.

Changed in bind9 (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
TJ (tj) wrote :

Re-marking as Invalid since I finally figured out today the erroneous RR was not generated by dnssec-signzone but a 3rd party tool that mistakenly writes the salt-length field too (which shouldn't be present except in the on-the-wire RDATA).

Changed in bind9 (Ubuntu):
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.