Lots of "RSA_verify failed" after upgrade to 9.7.7
Yesterday I upgraded our slave DNS (running FreeBSD 7.4) from bind 9.7.6.4 to 9.7.7. The server uses bind97 from ports. After that upgrade I get lots of these in syslog: RSA_verify failed error:04077068:rsa routines:RSA_verify:bad signature:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/rsa/rsa_sign.c:263: I have never seen these before. I tried Google but got no recent results. Anyone know what this means and how to get rid of these errors? Thanks! Peter Olsson ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Lots of "RSA_verify failed" after upgrade to 9.7.7
In message <20121105092813.ge34...@pol-server.leissner.se>, Peter Olsson writes : > Yesterday I upgraded our slave DNS (running FreeBSD 7.4) > from bind 9.7.6.4 to 9.7.7. The server uses bind97 from > ports. > > After that upgrade I get lots of these in syslog: > > RSA_verify failed error:04077068:rsa routines:RSA_verify:bad signature:/usr/s > rc/secure/lib/libcrypto/../../../crypto/openssl/crypto/rsa/rsa_sign.c:263: > > I have never seen these before. > I tried Google but got no recent results. > Anyone know what this means and how to get rid > of these errors? Ignore them. They will be addressed in the next maintenance release. > Thanks! > > Peter Olsson > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.7.3 and NSEC3 hash algorithms 5 & 7 (RSA/SHA-1)
Hi, I'm testing a DNSSEC server using BIND 9.7.3 and OpenDNSSEC. I have succesfully signed my local zone with ods tools and NSEC3 RSA/SHA1 (algorithms 5 and 7, both being aliases), but BIND refuses to load the zone complaining these algorithms are not supported: general: warning: zone myzone.mydomain.org/IN: unsupported nsec3 hash algorithm: 7 general: error: zone myzone.mydomain.org/IN: no supported nsec3 hash algorithm general: error: zone myzone.mydomain.org/IN: not loaded due to errors. (the same happens with algorithm 5). Could this be a BIND bug? (Someone told me these algorithms are fully supported). Kind regards, Antonio ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.7.3 and NSEC3 hash algorithms 5 & 7 (RSA/SHA-1)
In message <201211051152.45367.a...@ipna.csic.es>, Antonio Marcos =?iso-8859-1? q?L=F3pez_Alonso?= writes: > Hi, > > I'm testing a DNSSEC server using BIND 9.7.3 and OpenDNSSEC. I have > succesfully signed my local zone with ods tools and NSEC3 RSA/SHA1 (algorithm > s > 5 and 7, both being aliases), but BIND refuses to load the zone complaining > these algorithms are not supported: > > general: warning: zone myzone.mydomain.org/IN: unsupported nsec3 hash > algorithm: 7 The *only* defined hash algorithm for NSEC3 records is 1 (SHA-1). http://www.iana.org/assignments/dnssec-nsec3-parameters 5 and 7 refer to DNSKEY algorithms. http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml > general: error: zone myzone.mydomain.org/IN: no supported nsec3 hash algorith > m > general: error: zone myzone.mydomain.org/IN: not loaded due to errors. > > (the same happens with algorithm 5). > > Could this be a BIND bug? (Someone told me these algorithms are fully > supported). > > Kind regards, > Antonio > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.7.3 and NSEC3 hash algorithms 5 & 7 (RSA/SHA-1)
El Lunes 05 noviembre 2012 12:16:31 Mark Andrews escribió: > In message <201211051152.45367.a...@ipna.csic.es>, Antonio Marcos > =?iso-8859-1? > > q?L=F3pez_Alonso?= writes: > > Hi, > > > > I'm testing a DNSSEC server using BIND 9.7.3 and OpenDNSSEC. I have > > succesfully signed my local zone with ods tools and NSEC3 RSA/SHA1 > > (algorithm s > > 5 and 7, both being aliases), but BIND refuses to load the zone > > complaining these algorithms are not supported: > > > > general: warning: zone myzone.mydomain.org/IN: unsupported nsec3 hash > > algorithm: 7 > > The *only* defined hash algorithm for NSEC3 records is 1 (SHA-1). > http://www.iana.org/assignments/dnssec-nsec3-parameters > > 5 and 7 refer to DNSKEY algorithms. > http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml I'm a little bit confused here. If SHA-1 is the only defined hash algorithm for NSEC3, why algorithm 7 is listed as RSASHA1-NSEC3-SHA1 and does work in a command like: dnssec-keygen -r /dev/urandom –a NSEC3RSASHA1 –b 1024 myzone.mydomain.org Sorry in advance for the question but I'm still getting the nuts and bolts of DNSSEC. :-) Kind regards, Antonio ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.7.3 and NSEC3 hash algorithms 5 & 7 (RSA/SHA-1)
In message <201211051239.55119.a...@ipna.csic.es>, Antonio Marcos =?utf-8?q?L=C 3=B3pez_Alonso?= writes: > El Lunes 05 noviembre 2012 12:16:31 Mark Andrews escribió: > > In message <201211051152.45367.a...@ipna.csic.es>, Antonio Marcos > > =?iso-8859-1? > > > > q?L=F3pez_Alonso?= writes: > > > Hi, > > > > > > I'm testing a DNSSEC server using BIND 9.7.3 and OpenDNSSEC. I have > > > succesfully signed my local zone with ods tools and NSEC3 RSA/SHA1 > > > (algorithm s > > > 5 and 7, both being aliases), but BIND refuses to load the zone > > > complaining these algorithms are not supported: > > > > > > general: warning: zone myzone.mydomain.org/IN: unsupported nsec3 hash > > > algorithm: 7 > > > > The *only* defined hash algorithm for NSEC3 records is 1 (SHA-1). > > http://www.iana.org/assignments/dnssec-nsec3-parameters > > > > 5 and 7 refer to DNSKEY algorithms. > > > http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml > > I'm a little bit confused here. If SHA-1 is the only defined hash > algorithm for > NSEC3, why algorithm 7 is listed as RSASHA1-NSEC3-SHA1 and does work in a > command like: > dnssec-keygen -r /dev/urandom âa NSEC3RSASHA1 âb 1024 myzone.mydomain.org > > Sorry in advance for the question but I'm still getting the nuts and > bolts of > DNSSEC. :-) > > Kind regards, > Antonio There are a number of different algorithm numbers in various DNSSEC related records. * DNSSEC algorithm numbers appear in DNSKEY, RRSIG and DS records. This defines how signatures are generated and whether NSEC3 is permitted in the zone and well as which NSEC3 hash algorithms are allowed in the zone. * NSEC3 hash algorithm numbers appear in NSEC3 records. This defines the NSEC3 hash algorithm used to generate the NSEC3 record. * DS hash algorithm numbers appear in DS records. This defines the DS hash algorithm used to generate the DS record. Note DS records have 2 algorithm numbers. Zones signed with RSASHA1-NSEC3-SHA1 (7) are signed with RSA signatures of the SHA1 hash of the RRset (RSASHA1). The zone *may* contain NSEC3 records and those NSEC3 records must be generated using the SHA1 (1) hash algorithm. The error message said you signed the zone with NSEC3 records generated with hash algorithm 7. There is no such algorithm defined for NSEC3 records. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.7.3 and NSEC3 hash algorithms 5 & 7 (RSA/SHA-1)
El Lunes 05 noviembre 2012 13:05:30 Mark Andrews escribió: > In message <201211051239.55119.a...@ipna.csic.es>, Antonio Marcos > =?utf-8?q?L=C > > 3=B3pez_Alonso?= writes: > > El Lunes 05 noviembre 2012 12:16:31 Mark Andrews escribiĆ³: > > > In message <201211051152.45367.a...@ipna.csic.es>, Antonio Marcos > > > =?iso-8859-1? > > > > > > q?L=F3pez_Alonso?= writes: > > > > Hi, > > > > > > > > I'm testing a DNSSEC server using BIND 9.7.3 and OpenDNSSEC. I have > > > > succesfully signed my local zone with ods tools and NSEC3 RSA/SHA1 > > > > (algorithm s > > > > 5 and 7, both being aliases), but BIND refuses to load the zone > > > > complaining these algorithms are not supported: > > > > > > > > general: warning: zone myzone.mydomain.org/IN: unsupported nsec3 hash > > > > algorithm: 7 > > > > > > The *only* defined hash algorithm for NSEC3 records is 1 (SHA-1). > > > http://www.iana.org/assignments/dnssec-nsec3-parameters > > > > > > 5 and 7 refer to DNSKEY algorithms. > > > > http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.x > > ml > > > > I'm a little bit confused here. If SHA-1 is the only defined hash > > algorithm for > > NSEC3, why algorithm 7 is listed as RSASHA1-NSEC3-SHA1 and does work in a > > command like: > > dnssec-keygen -r /dev/urandom āa NSEC3RSASHA1 āb 1024 > > myzone.mydomain.org > > > > Sorry in advance for the question but I'm still getting the nuts and > > bolts of > > DNSSEC. :-) > > > > Kind regards, > > Antonio > > There are a number of different algorithm numbers in various DNSSEC > related records. > > * DNSSEC algorithm numbers appear in DNSKEY, RRSIG and DS records. >This defines how signatures are generated and whether NSEC3 is >permitted in the zone and well as which NSEC3 hash algorithms are >allowed in the zone. > * NSEC3 hash algorithm numbers appear in NSEC3 records. >This defines the NSEC3 hash algorithm used to generate the NSEC3 record. > * DS hash algorithm numbers appear in DS records. >This defines the DS hash algorithm used to generate the DS record. > > Note DS records have 2 algorithm numbers. > > Zones signed with RSASHA1-NSEC3-SHA1 (7) are signed with RSA > signatures of the SHA1 hash of the RRset (RSASHA1). The zone *may* > contain NSEC3 records and those NSEC3 records must be generated using > the SHA1 (1) hash algorithm. > > The error message said you signed the zone with NSEC3 records > generated with hash algorithm 7. There is no such algorithm defined > for NSEC3 records. > > Mark Clear as water. Thanks a lot for taking the time to point me out right! Kind regards, Antonio ** Antonio Marcos López Alonso Servicio de Informática y Telecomunicaciones Instituto de Productos Naturales y Agrobiología (IPNA-CSIC) mailto:a...@ipna.csic.es (+34) 922 260 190 (Ext. 237) *** ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
