Error to validate the signature of a SIG(0) transaction...

Manuel Gil Perez manuel at
Thu Dec 30 19:29:36 UTC 2004

Hi everyone,

I would like to use SIG(0) as mechanism to publish certificates into my DNS 
server of secure way using DNS dynamic update (note: I'm using the last 
version of BIND, 9.3.0). For this, I create a new DNS message and generate 
the SIG(0) transaction signature which it is added to the message.

The request I send to the DNS server is the following:

;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 63187
;; flags: ; qd: 1 an: 0 au: 1 ad: 1
;; ZONE:
;;, type = SOA, class = IN

;; UPDATE RECORDS: 3600 IN CERT 1 378 1 <cert in PEM format>
. 0 ANY SIG TYPE0 1 1 0 20041230190407 20041230185907 58596 
<signature of the request>

The request is generated and sent successfully but I obtain a SERVFAIL from 
the server:

;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id: 63187
;; flags: qr ; qd: 0 an: 0 au: 0 ad: 0
;; ZONE: <empty>
;; UPDATE RECORDS: <empty>

Reviewing the log files the server returns the following error: <<request 
has invalid signature: not verified yet (NOERROR)>>.

Is BIND qualified to verify SIG(0) signatures?? Doing the same process but 
using TSIG, DNS server verifies the signatures perfectly.

Thanks... and regards,

Manuel Gil Pérez 

More information about the bind-users mailing list