Re: Spurious "TYPE65534" at the end of a NSEC3, why?

Sun, 13 Feb 2011 05:48:56 -0800 

On Sun, Feb 13, 2011 at 11:07:31AM +0100,
 Stephane Bortzmeyer <bortzme...@nic.fr> wrote 
 a message of 35 lines which said:

> is flagged as invalid by a BIND ('meqimi6fje5ni47pjahv5qigu1lv3jlj.fr
> NSEC3: no valid signature found') or an Unbound resolver ('debug:
> verify: signature mismatch'). I fancy that the spurious TYPE65534 may have
> been added after the signing.

I managed, by a lot of copy-and-paste from kept dig answers, to
reproduce the problem. Tests have been done with
<http://www.verisignlabs.com/dnssec-tools/>. When I use the NSEC3 with
TYPE65534, I get:

WARNING: Signature failed to verify RRset:
  rr:  meqimi6fje5ni47pjahv5qigu1lv3jlj.fr.     5400    IN      NSEC3
  1 1 1 BADFE11A O5SMCS6CUNUQC5RFJ6S94TGGRFH1TVC7 NS SOA TXT NAPTR
  RRSIG DNSKEY NSEC3PARAM TYPE65534

  sig: meqimi6fje5ni47pjahv5qigu1lv3jlj.fr.     5400    IN      RRSIG
  NSEC3 8 2 5400 20110408081500 20110207081500 2331
  fr. 
OFDRwZAgzDT1y8fTJ1XCfHlajEAHzqk2dsJaCR1TSednnBSEkctIUP6AsZuD+EOZtEPCM2Oe3cI/fG2GfA1nAUDaS1INN3I6YRpB3n2/oCfKBvs68fvCexBOIgz+oc74VrPvjDtPkVyGbJ5ImSlwu8Uc8rTXKh47CdS0AdJLmso=
Reason: Signature failed to verify cryptographically

If I remove by hand the TYPE65534, leaving the signature intact, the
problem disappeared.

% diff  fr-with-type65534 fr-with-type65534-removed 
4d3
< fr.                     0       IN      TYPE65534   \# 0 
25c24
< meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400 IN NSEC3 1 1 1 BADFE11A
O5SMCS6CUNUQC5RFJ6S94TGGRFH1TVC7 NS SOA TXT NAPTR RRSIG DNSKEY
NSEC3PARAM TYPE65534
---
> meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400 IN NSEC3 1 1 1 BADFE11A
> O5SMCS6CUNUQC5RFJ6S94TGGRFH1TVC7 NS SOA TXT NAPTR RRSIG DNSKEY
> NSEC3PARAM 

I also checked again that TYPE65534 is *not* served by BIND in the
normal situation, even when I dynamically update the zone and BIND
modifies the NSEC3 chain and the signatures.

So, it really seems there is a BIND bug here. I guess that the
TYPE65534 was wrongly added to the NSEC3 after it has been signed.

Many thanks to Gilles Massen for his help and ideas and solutions.
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to