Spurious "TYPE65534" at the end of a NSEC3, why?
bortzmeyer at nic.fr
Sun Feb 13 13:36:05 UTC 2011
On Sun, Feb 13, 2011 at 11:07:31AM +0100,
Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote
a message of 35 lines which said:
> is flagged as invalid by a BIND ('meqimi6fje5ni47pjahv5qigu1lv3jlj.fr
> NSEC3: no valid signature found') or an Unbound resolver ('debug:
> verify: signature mismatch'). I fancy that the spurious TYPE65534 may have
> been added after the signing.
I managed, by a lot of copy-and-paste from kept dig answers, to
reproduce the problem. Tests have been done with
<http://www.verisignlabs.com/dnssec-tools/>. When I use the NSEC3 with
TYPE65534, I get:
WARNING: Signature failed to verify RRset:
rr: meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400 IN NSEC3
1 1 1 BADFE11A O5SMCS6CUNUQC5RFJ6S94TGGRFH1TVC7 NS SOA TXT NAPTR
RRSIG DNSKEY NSEC3PARAM TYPE65534
sig: meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400 IN RRSIG
NSEC3 8 2 5400 20110408081500 20110207081500 2331
Reason: Signature failed to verify cryptographically
If I remove by hand the TYPE65534, leaving the signature intact, the
% diff fr-with-type65534 fr-with-type65534-removed
< fr. 0 IN TYPE65534 \# 0
< meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400 IN NSEC3 1 1 1 BADFE11A
O5SMCS6CUNUQC5RFJ6S94TGGRFH1TVC7 NS SOA TXT NAPTR RRSIG DNSKEY
> meqimi6fje5ni47pjahv5qigu1lv3jlj.fr. 5400 IN NSEC3 1 1 1 BADFE11A
> O5SMCS6CUNUQC5RFJ6S94TGGRFH1TVC7 NS SOA TXT NAPTR RRSIG DNSKEY
I also checked again that TYPE65534 is *not* served by BIND in the
normal situation, even when I dynamically update the zone and BIND
modifies the NSEC3 chain and the signatures.
So, it really seems there is a BIND bug here. I guess that the
TYPE65534 was wrongly added to the NSEC3 after it has been signed.
Many thanks to Gilles Massen for his help and ideas and solutions.
More information about the bind-users