Error to validate the signature of a SIG(0) transaction...

Manuel Gil Perez manuel at dif.um.es
Thu Jan 13 12:09:42 UTC 2005


Hi everyone,

> My guess is the key you've used isn't known to the server.

Jim, I'd like to add a reliable RSA public key in the server but DNSSec can 
only store keys in DNSKEY format. How can I convert a key from RSA to DNSKEY 
for storing it like reliable for the server??

Thanks!!

------
Manuel Gil Pérez


----- Original Message ----- 
Sent: Friday, December 31, 2004 1:14 PM
Subject: Re: Error to validate the signature of a SIG(0) transaction...


>>>>>> "Manuel" == Manuel Gil Perez <manuel at dif.um.es> writes:
>
>    Manuel> Hi everyone, I would like to use SIG(0) as mechanism to
>    Manuel> publish certificates into my DNS server of secure way
>    Manuel> using DNS dynamic update (note: I'm using the last version
>    Manuel> of BIND, 9.3.0).
>
>    Manuel> The request is generated and sent successfully but I
>    Manuel> obtain a SERVFAIL from the server:
>
>    Manuel> Reviewing the log files the server returns the following
>    Manuel> error: <<request has invalid signature: not verified yet
>    Manuel> (NOERROR)>>.
>
>    Manuel> Is BIND qualified to verify SIG(0) signatures??
>
> Of course. If it didn't what would be the point of supporting SIG(0)?
>
> Turn up the name server's DNSSEC debugging if you want to know why the
> verification failed. My guess is the key you've used isn't known to
> the server. If you post the actual files -- don't edit anything! --
> someone might be able to debug them. 




More information about the bind-users mailing list