Ubuntu
dnssec-tools package

"Bad NSEC data" when using zonesigner -usensec3

Bug #1215093 reported by TJ
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
dnssec-tools (Ubuntu)
Triaged
High
Unassigned

Bug Description

# apt-cache policy bind9 dnssec-tools
bind9:
  Installed: 1:9.9.2.dfsg.P1-2ubuntu3
  Candidate: 1:9.9.2.dfsg.P1-2ubuntu3
  Version table:
 *** 1:9.9.2.dfsg.P1-2ubuntu3 0
        500 http://gb.archive.ubuntu.com/ubuntu/ saucy/main amd64 Packages
        100 /var/lib/dpkg/status
dnssec-tools:
  Installed: 2.0-1
  Candidate: 2.0-1
  Version table:
 *** 2.0-1 0
        500 http://gb.archive.ubuntu.com/ubuntu/ saucy/universe amd64 Packages
        100 /var/lib/dpkg/status

# zonesigner -genkeys -usensec3 -zone groksecrecy.eu groksecrecy.eu.hosts

        if zonesigner appears hung, strike keys until the program completes
        (see the "Entropy" section in the man page for details)

Generating key pair.......++++++ ...........++++++
Generating key pair..............++++++ ........................................................................++++++
Generating key pair............................+++ ................................................................................+++
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 1 revoked
                      ZSKs: 1 active, 1 stand-by, 0 revoked

zone signed successfully

groksecrecy.eu:
        KSK (cur) 59290 2048 08/21/13 (groksecrecy.eu-signset-00019)
        KSK (rev) 08224 2048 08/21/13 (groksecrecy.eu-signset-00018)
        ZSK (cur) 01110 1024 08/21/13 (groksecrecy.eu-signset-00016)
        ZSK (pub) 03480 1024 08/21/13 (groksecrecy.eu-signset-00017)

zone will expire in 30 days
DO NOT delete the keys until this time has passed.

# donuts --level 9 -v -v -v -v -v groksecrecy.eu.hosts.signed groksecrecy.eu

--- loading rule file /usr/share/dnssec-tools/donuts/rules/check_nameservers.txt
    rules: MEMORIZE_NS_ADDRS DNS_SERVERS_MATCH_DATA
--- loading rule file /usr/share/dnssec-tools/donuts/rules/dns.errors.txt
    rules: DNS_SOA_REQUIRED MEMORIZE_NS_CNAME_RECORDS DNS_NS_NO_CNAME
--- loading rule file /usr/share/dnssec-tools/donuts/rules/dnssec.rules.txt
    rules: DNSSEC_RRSIG_TTL_MATCH_ORGTTL DNSSEC_MEMORIZE_NS_RECORDS DNSSEC_CHECK_IF_NSEC3 DNSSEC_MISSING_NSEC_RECORD1 DNSSEC_MISSING_RRSIG_RECORD1 DNSSEC_RRSIG_NOT_SIGNING_RRSIG DNSSEC_RRSIG_FOR_NS_GLUE_RECORD DNSSEC_NSEC_FOR_NS_GLUE_RECORD DNSSEC_RRSIG_SIGEXP DNSSEC_NSEC_TTL DNSSEC_NSEC3_TTL DNSSEC_DNSKEY_MUST_HAVE_SAME_NAME DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3 DNSSEC_BOGUS_NS_MEMORIZE DNSSEC_MISSING_RRSIG_RECORD2 DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD DNSSEC_MISSING_NSEC_RECORD2 DNSSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE DNSSEC_MEMORIZE_KEYS DNSSEC_RRSIGS_VERIFY DNSSEC_TWO_ZSKS DNSSEC_OPENSSL_KEY_ISSUES
--- loading rule file /usr/share/dnssec-tools/donuts/rules/nsec_check.rules.txt
    rules: DNSSEC_NSEC_MEMORIZE DNSSEC_NSEC3_MEMORIZE DNSSEC_NSEC3_CHECK DNSSEC_NSEC_CHECK
--- loading rule file /usr/share/dnssec-tools/donuts/rules/parent_child.rules.txt
    rules: DNS_MULTIPLE_NS DNSSEC_SUB_NOT_SECURE DNSSEC_DNSKEY_PARENT_HAS_VALID_DS DNSSEC_DS_CHILD_HAS_MATCHING_DNSKEY
--- loading rule file /usr/share/dnssec-tools/donuts/rules/recommendations.rules.txt
    rules: DNS_REASONABLE_TTLS DNS_NO_DOMAIN_MX_RECORDS
groksecrecy.eu.hosts.signed:155 bad NSEC data
WARNING: failed to read groksecrecy.eu.hosts.signed for an unknown reason
bad NSEC data, line 155

# sed -n '155 p' groksecrecy.eu.hosts.signed
TGJKMMT805KSMTJ3O66C19Q4LSACA79F.groksecrecy.eu. 38400 IN NSEC3 1 0 100 48B3FDF7C42A14B9 (

# cat groksecrecy.eu.hosts

$ttl 38400
@ IN SOA dns0.groksecrecy.eu. hostmaster.groksecrecy.eu. (
                        1377106628
                        10800
                        3600
                        604800
                        38400 )
@ IN NS dns0
@ IN NS dns1
@ IN NS dns2
@ IN NS dns3
@ IN NS dns4
@ IN NS dns5
dns0 IN A 212.71.253.98
dns1 IN A 69.93.127.10
dns2 IN A 65.19.178.10
dns3 IN A 75.127.96.10
dns4 IN A 207.192.70.10
dns5 IN A 109.74.194.10

dns0 IN AAAA 2a01:7e00::f03c:91ff:fe69:4c49
dns1 IN AAAA 2600:3c00::a
dns2 IN AAAA 2600:3c01::a
dns3 IN AAAA 2600:3c02::a
dns4 IN AAAA 2600:3c03::a
dns5 IN AAAA 2a01:7e00::a

@ IN A 212.71.253.98
mail IN A 212.71.253.98
@ IN AAAA 2a01:7e00::f03c:91ff:fe69:4c49
mail IN AAAA 2a01:7e00::f03c:91ff:fe69:4c49
www IN CNAME @
open IN CNAME @
@ IN MX 5 mail
@ IN TXT "v=spf1 a mx a:groksecrecy.net ~all"

Revision history for this message
TJ (tj) wrote :

I've tracked the error down to "/usr/share/perl5/Net/DNS/ZoneFile/Fast.pm". It has three tests which all report "bad NSEC data" so I added unique numbers into each error message. The 2nd one generates the error. It appears the fault is in the regular expression. The code is:

      } elsif (/\G(nsec3)[ \t]+/igc) {
          error ("You are missing required modules for NSEC3 support")
            if (!$nsec3capable);
          if (/\G\s*(\d+)\s+(\d+)\s+(\d+)\s+([-0-9A-Fa-f]+)\s+($pat_maybefullname)\s+(.*?)$pat_skip$/gc) {
              # XXX: set the typebm field ourselves?
              my ($alg, $flags, $iters, $salt, $nxthash, $typelist) =
                ($1, $2, $3, $4, $5, $6);
              $typelist = join(" ",sort split(/\s+/,$typelist));
              my $binhash = MIME::Base32::decode(uc($nxthash));
              push @zone,
                {
                 Line => $ln,
                 name => $domain,
                 class => "IN",
                 ttl => $ttl,
                 type => "NSEC3",
                 hashalgo => $alg,
                 flags => $flags,
                 iterations => $iters,
                 hnxtname => $nxthash,
                 hnxtnamebin => $binhash,
                 hashlength => length($binhash),
                 salt => $salt,
                 saltbin => pack("H*",$salt),
                 saltlength => int(length($salt)/2),
                 typelist => $typelist,
                 typebm =>
                 Net::DNS::RR::NSEC::_typearray2typebm(split(/\s+/,$typelist)),
                };
          } else {
              error("bad NSEC data (#2)");
          }
      }

Revision history for this message
TJ (tj) wrote :

After further investigation it appears that the default output of "dnssec-signzone" (part of the bind9 package) is causing the issue. That tool has the "-O" output-format option which defaults to "text" but can be "full" or "raw".

It appears that the default "text" mode wraps lines as well as leaving out redundant values. The "full" mode doesn't wrap lines and writes everything it can.

zonesigner has the "-szopts" additional-signing-options parameter which can be used to pass "-O full" to dnssec-signzone:

# zonesigner -verbose -showsigncmd -szopts "-O full" -genkeys -usensec3 -zone groksecrecy.eu groksecrecy.eu.hosts
...
        /usr/sbin/dnssec-signzone -O full -3 92b0d2647d92bc88 -H 100 -g -k /etc/bind/Kgroksecrecy.eu.+008+28630.key -k /etc/bind/Kgroksecrecy.eu.+008+24706.key -o groksecrecy.eu -e now+2592000 -f groksecrecy.eu.hosts.signed groksecrecy.eu.hosts.zs /etc/bind/Kgroksecrecy.eu.+008+09348.key
...

# donuts -f live,nsec_check --level 9 -v -v -v -v -v groksecrecy.eu.hosts.signed groksecrecy.eu
...
results on testing groksecrecy.eu:
  rules considered: 38
  rules tested: 35
  records analyzed: 78
  names analyzed: 20
  errors found: 0

The permanent fix is to alter the default "dnssec-tools.conf":

# diff -u /etc/dnssec-tools/dnssec-tools.conf.orig /etc/dnssec-tools/dnssec-tools.conf
--- /etc/dnssec-tools/dnssec-tools.conf.orig 2013-08-22 01:00:03.000000000 +0100
+++ /etc/dnssec-tools/dnssec-tools.conf 2013-08-22 00:55:18.000000000 +0100
@@ -67,7 +67,7 @@
 savekeys 1
 kskcount 1
 zskcount 1
-
+zonesign-opts -O full
 #
 # Settings for rollerd.
 #

Changed in dnssec-tools (Ubuntu):
status: New → Triaged
importance: Undecided → High
Revision history for this message
TJ (tj) wrote :

My last statement is incorrect: the patch to "dnssec-tools.conf" is not sufficient. Apparently the contents of that file are only read by the tools if their command-lines are empty.

That means that zonesigner needs its set of options amended as previously described:

# zonesigner -szopts "-O full" -genkeys -usensec3 -zone ...

Revision history for this message
Juan Orti Alcaine (juan.orti) wrote :

I have hit the same problem and your fix works perfect for me (both the command line parameter, and the config file).

Thank you for you work.

Revision history for this message
Nuno Sucena Almeida (slug-debian) wrote :

Also hitting the same issue, ubuntu 13.10.
The workaround posted above worked for me, thanks!

Revision history for this message
Matthias Geiser (matthias-geiser) wrote :

I can confirm bug and workaround for ubuntu 14.04.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.