About use bind to do DNSSEC with no correct RSASHA256 signature

yaohongyuan yaohongyuan at 163.com
Tue Sep 19 02:05:09 UTC 2017

Hi all,

    But at last week we found that there is just one 'RRSIGNSEC3' record is illegality(No correct RSASHA256 signature) signed by bind.
        dnssec-verify -o XXX -E pkcs11 XXX.txt.signed
        Loading zone 'XXX' from file 'XXX.txt.signed'
        Verifying the zone using the following algorithms: RSASHA256.
        No correct RSASHA256 signature for 4AAPP98J0Q8VUG1BSQDH22IS8SURC8M6.XXX NSEC3
        The zone is not fully signed for the following algorithms: RSASHA256.
        dnssec-verify: fatal: DNSSEC completeness test failed.

    This error record as below:
4AAPP98J0Q8VUG1BSQDH22IS8SURC8M6.XXX.3600INRRSIGNSEC3 8 2 3600 20170925080748 20170911074409 55399 XXX. AAAAAAAJ0lYBXu+DKpPARWqucXHr2hmUm5nGeKzcEg8L+n2Cb0APyG4UvNBYZ3lPzmSVRLw77NsGypPoMG23ovRMhhsmKg2uORh65ikucL072HksSbTNRn5/RPqw8sCD8RiCMrLj+wj5xFhqAa8Xk3UZMEMFK2jWROOT4LKDRhs=

    Our zone configure as below :
        dnssec-enable yes;
        dnssec-validation yes;
        type master;
        update-check-ksk yes;
        dnssec-dnskey-kskonly yes;
        auto-dnssec maintain;
        sig-validity-interval 14 5;
        dnssec-update-mode maintain;
        serial-update-method increment;
    We used bind with below version :
        named -V
        BIND 9.10.5 <id:feb005b>
        running on Linux x86_64 2.6.32-696.3.2.el6.x86_64 #1 SMP Tue Jun 20 01:26:55 UTC 2017
        built by make with 'CC=gcc -m64' '--enable-threads' '--with-openssl=/opt/pkcs11/usr' '--with-pkcs11=/usr/local/lib/pkcs11.so' '--prefix=/usr/local/bind-9.10.5'
        compiled by GCC 4.4.7 20120313 (Red Hat 4.4.7-18)
        compiled with OpenSSL version: OpenSSL 1.0.2h  3 May 2016
        linked to OpenSSL version: OpenSSL 1.0.2h  3 May 2016
        compiled with libxml2 version: 2.7.6
        linked to libxml2 version: 20706

    Is this a known issue?
    Did we have fixed this ? 
    We have tried to manual correct this record ,but didn't find the right way.
        We tried remove this RRSIG but get REFUSED log as below:
            updating zone 'XXX/IN': update failed: explicit RRSIG updates are currently not supported in secure zones except at the apex (REFUSED)
        We tried remove this NSEC3 but get REFUSED log as below:
            updating zone 'XXX/IN': update failed: explicit NSEC3 updates are not allowed in secure zones (REFUSED)

    How to correct this invalid record?
    Could anybody give us some help? We will be very appreciate.
    Thank you very much.

Best regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170919/9d08f7fb/attachment.html>

More information about the bind-users mailing list