[Bug 1695799] [NEW] ldns-signzone generates invalid DNSSEC zones

Sun, 04 Jun 2017 19:31:36 -0700 

Public bug reported:

The domain "exim.org" is DNSSEC-signed using ldns-signzone(1) on Ubuntu,
ldnsutils 1.6.17-1 on i386.

After investigating spam rejections of exim-users mail, I determined
that there was a broken signature upon the current DKIM key
("d201705._domainkey.exim.org").  I re-signed the zone and the record
validated.  I continued to investigate.  I could not use dnssec-
verify(1) from bind9utils because it fails upon the presence of a CAA
record.  So I copied the zonefiles to a FreeBSD box and used dnssec-
verify there.

    Loading zone 'exim.org' from file 'db.exim.org'
    Verifying the zone using the following algorithms: ECDSAP256SHA256.
    No correct ECDSAP256SHA256 signature for d201705._domainkey.exim.org TXT
    No correct ECDSAP256SHA256 signature for www.pl.exim.org A
    The zone is not fully signed for the following algorithms: ECDSAP256SHA256.
    dnssec-verify: fatal: DNSSEC completeness test failed.

The newly-signed zone instead had:

    No correct ECDSAP256SHA256 signature for ftp.exim.org AAAA
    No correct ECDSAP256SHA256 signature for _443._tcp.lists.exim.org CNAME

Signing again:

    No correct ECDSAP256SHA256 signature for hummus.exim.org SSHFP
    No correct ECDSAP256SHA256 signature for 
k8ft27pqo4i3u7uqu5dk2l4ra1hsl6lt.exim.org NSEC3

I installed ldns in /opt/ldns from upstream source tarball, version
1.7.0, and changed the zone management script to use that ldns-signzone
instead, and things work:

    Loading zone 'exim.org' from file 'db.exim.org-2017060402'
    Verifying the zone using the following algorithms: ECDSAP256SHA256.
    Zone fully signed:
    Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                                ZSKs: 1 active, 0 stand-by, 0 revoked


I don't know what the root cause of the signing failure in the packaged 
ldnsutils is, I just see that it's fixed in upstream.

** Affects: ldns (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1695799

Title:
  ldns-signzone generates invalid DNSSEC zones

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ldns/+bug/1695799/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to