Hi, I recently upgraded our downstream name server of our OpenDNSSEC installation to BIND version 9.14.2, up from version 9.10.x-Py. With that upgrade, it looks like BIND and "dig" is no longer successfully talking to our OpenDNSSEC 1.4.x installation:
sns:~> dig @ods-host -y hmac-sha256:keyname:key some-zone-served-by-ods soa +norec ;; Warning: Message parser reports malformed message packet. ;; Couldn't verify signature: expected a TSIG or SIG(0) ; <<>> DiG 9.14.2 <<>> @ods-host -y hmac-sha256 some-zone-served-by-ods soa +norec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 45391 ;; flags: qr; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: EDNS query returned status FORMERR - retry with '+noedns' ;; WARNING: Message has 117 extra bytes at end ;; Query time: 2 msec ;; SERVER: 158.38.3.18#53(158.38.3.18) ;; WHEN: Wed May 29 14:24:30 CEST 2019 ;; MSG SIZE rcvd: 165 ;; WARNING -- Some TSIG could not be validated sns:~> Supplying +noedns as an extra argument fixes the problem. OpenDNSSEC logs: May 29 14:26:36 tilfeldigvis ods-signerd: [socket] incoming udp message May 29 14:26:36 tilfeldigvis ods-signerd: [tsig] parse: not TSIG or not ANY May 29 14:26:36 tilfeldigvis ods-signerd: [tsig] parse: not TSIG or not ANY May 29 14:26:36 tilfeldigvis ods-signerd: [query] too many additional rrs May 29 14:26:36 tilfeldigvis ods-signerd: [query] formerr May 29 14:26:36 tilfeldigvis ods-signerd: [socket] query processed qstate=0 May 29 14:26:36 tilfeldigvis ods-signerd: [query] add edns opt ok Hrm... Looking at the query in wireshark reveals that it's including an OPT record for the root, including a DNS cookie, and the TSIG record for the transaction. The code spitting out the "too many additional rrs" comes from query_find_tsig() in signer/src/wire/query.c, and I wonder if the edns_rr_parse() function didn't manage to parse the EDNS record correctly, but I didn't manage to catch the debug log message from that function even if I cranked the verbosity to 10. To get it to work again I configured BIND to not use edns towards our OpenDNSSEC installation via a "server" option clause. Regards, - HÃ¥vard _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
