ldns-signzone generates invalid DNSSEC zones
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ldns (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
The domain "exim.org" is DNSSEC-signed using ldns-signzone(1) on Ubuntu, ldnsutils 1.6.17-1 on i386.
After investigating spam rejections of exim-users mail, I determined that there was a broken signature upon the current DKIM key ("d201705.
Loading zone 'exim.org' from file 'db.exim.org'
Verifying the zone using the following algorithms: ECDSAP256SHA256.
No correct ECDSAP256SHA256 signature for d201705.
No correct ECDSAP256SHA256 signature for www.pl.exim.org A
The zone is not fully signed for the following algorithms: ECDSAP256SHA256.
dnssec-verify: fatal: DNSSEC completeness test failed.
The newly-signed zone instead had:
No correct ECDSAP256SHA256 signature for ftp.exim.org AAAA
No correct ECDSAP256SHA256 signature for _443._tcp.
Signing again:
No correct ECDSAP256SHA256 signature for hummus.exim.org SSHFP
No correct ECDSAP256SHA256 signature for k8ft27pqo4i3u7u
I installed ldns in /opt/ldns from upstream source tarball, version 1.7.0, and changed the zone management script to use that ldns-signzone instead, and things work:
Loading zone 'exim.org' from file 'db.exim.
Verifying the zone using the following algorithms: ECDSAP256SHA256.
Zone fully signed:
Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked
I don't know what the root cause of the signing failure in the packaged ldnsutils is, I just see that it's fixed in upstream.