ldns-signzone generates invalid DNSSEC zones

Bug #1695799 reported by Phil Pennock
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ldns (Ubuntu)
New
Undecided
Unassigned

Bug Description

The domain "exim.org" is DNSSEC-signed using ldns-signzone(1) on Ubuntu, ldnsutils 1.6.17-1 on i386.

After investigating spam rejections of exim-users mail, I determined that there was a broken signature upon the current DKIM key ("d201705._domainkey.exim.org"). I re-signed the zone and the record validated. I continued to investigate. I could not use dnssec-verify(1) from bind9utils because it fails upon the presence of a CAA record. So I copied the zonefiles to a FreeBSD box and used dnssec-verify there.

    Loading zone 'exim.org' from file 'db.exim.org'
    Verifying the zone using the following algorithms: ECDSAP256SHA256.
    No correct ECDSAP256SHA256 signature for d201705._domainkey.exim.org TXT
    No correct ECDSAP256SHA256 signature for www.pl.exim.org A
    The zone is not fully signed for the following algorithms: ECDSAP256SHA256.
    dnssec-verify: fatal: DNSSEC completeness test failed.

The newly-signed zone instead had:

    No correct ECDSAP256SHA256 signature for ftp.exim.org AAAA
    No correct ECDSAP256SHA256 signature for _443._tcp.lists.exim.org CNAME

Signing again:

    No correct ECDSAP256SHA256 signature for hummus.exim.org SSHFP
    No correct ECDSAP256SHA256 signature for k8ft27pqo4i3u7uqu5dk2l4ra1hsl6lt.exim.org NSEC3

I installed ldns in /opt/ldns from upstream source tarball, version 1.7.0, and changed the zone management script to use that ldns-signzone instead, and things work:

    Loading zone 'exim.org' from file 'db.exim.org-2017060402'
    Verifying the zone using the following algorithms: ECDSAP256SHA256.
    Zone fully signed:
    Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                                ZSKs: 1 active, 0 stand-by, 0 revoked

I don't know what the root cause of the signing failure in the packaged ldnsutils is, I just see that it's fixed in upstream.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.