[ldns-users] Zone signing problem with DSA keys
Patrick Fedick
fedick at denic.de
Wed Mar 12 15:16:54 UTC 2014
Hello,
I have a testsuite, which basically generates DNSKEYs, signs a small zone with them and then verifies the signed zone. This is done with different algorithms, keysizes and other variations. The testsuite is written in C++ using the ldns library (ldns version 1.6.17, openssl 1.0.1e, CentOS 6.5 or Ubuntu 12.04). The code is based on ldns-keygen, ldns-signzone and ldns-verify-zone.
It is expected that none of these tests fail, but in practice some of them do fail with the error "Bogus DNSSEC signature for xxxxxx. DNSKEY" or other RR.
It seems the tests only fail when using DSA or DSA-NSEC3-SHA1 keys (I've not tested ECDSA). Keysize doesn't matter. To exclude an error in my code, I've written a small shell script, which only uses the tools ldns-keygen, ldns-signzone and ldns-verify-zone and I could reproduce the problem.
The script is doing the following steps in a loop a 1000 times:
1. Generate ZSK with "ldns-keygen -a DSA -b 1024 -r /dev/urandom test.de"
2. Append DNSKEY RR to a testzone, which only consists of the SOA and two NS RR
3. Sign zone with: ldns-signzone -o test.de -n db.test.de $ZSK_KEYNAME
5. Verify zone with: ldns-verify-zone db.test.de.signed
There are no errors detected in ldns-keygen and ldns-signzone, but ldns-verify-zone randomly reports bogus signatures.
I've also tested what happens, when using always the same key for signing. I can see that the RRSIG records change in each iteration (probably a random component), but when using a ZSK which worked before, ldns-verify-zone always succeeds and when using a ZSK which failed before, verification always fails. I believe there is something wrong in the DSA key generation, but it could also be a bug in the signing process. I'm unable to track this issue down any further.
I have attached an archive which contains my demo script as well as a "good key" and a "bad key". The script creates a "tmp" folder in the current directory and expects the ldns-tools in the PATH and needs /bin/bash.
It would be nice, if someone could confirm, if this is a bug in ldns (or openssl?) or if I'm doing something completely wrong.
Best regards,
Gruss,
Patrick Fedick
--
Patrick Fedick
IT-Services
DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY
E-Mail: fedick at denic.de
Fon: +49 69 27235-403
Fax: +49 69 27235-239
http://www.denic.de
Angaben nach § 25a Absatz 1 GenG:
DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Carsten Schiefner, Dr. Jörg Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main
-------------- next part --------------
A non-text attachment was scrubbed...
Name: demo.tar.gz
Type: application/x-gzip
Size: 2862 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/ldns-users/attachments/20140312/362e203c/attachment.bin>
More information about the ldns-users
mailing list