About use bind to do DNSSEC with no correct RSASHA256 signature
yaohongyuan at 163.com
Tue Sep 19 02:05:09 UTC 2017
We used bind to do the DNSSEC , DYNAMIC ZONES , AND AUTOMATIC SIGNING.
But at last week we found that there is just one 'RRSIGNSEC3' record is illegality(No correct RSASHA256 signature) signed by bind.
dnssec-verify -o XXX -E pkcs11 XXX.txt.signed
Loading zone 'XXX' from file 'XXX.txt.signed'
Verifying the zone using the following algorithms: RSASHA256.
No correct RSASHA256 signature for 4AAPP98J0Q8VUG1BSQDH22IS8SURC8M6.XXX NSEC3
The zone is not fully signed for the following algorithms: RSASHA256.
dnssec-verify: fatal: DNSSEC completeness test failed.
This error record as below:
4AAPP98J0Q8VUG1BSQDH22IS8SURC8M6.XXX.3600INRRSIGNSEC3 8 2 3600 20170925080748 20170911074409 55399 XXX. AAAAAAAJ0lYBXu+DKpPARWqucXHr2hmUm5nGeKzcEg8L+n2Cb0APyG4UvNBYZ3lPzmSVRLw77NsGypPoMG23ovRMhhsmKg2uORh65ikucL072HksSbTNRn5/RPqw8sCD8RiCMrLj+wj5xFhqAa8Xk3UZMEMFK2jWROOT4LKDRhs=
Our zone configure as below :
sig-validity-interval 14 5;
We used bind with below version :
BIND 9.10.5 <id:feb005b>
running on Linux x86_64 2.6.32-696.3.2.el6.x86_64 #1 SMP Tue Jun 20 01:26:55 UTC 2017
built by make with 'CC=gcc -m64' '--enable-threads' '--with-openssl=/opt/pkcs11/usr' '--with-pkcs11=/usr/local/lib/pkcs11.so' '--prefix=/usr/local/bind-9.10.5'
compiled by GCC 4.4.7 20120313 (Red Hat 4.4.7-18)
compiled with OpenSSL version: OpenSSL 1.0.2h 3 May 2016
linked to OpenSSL version: OpenSSL 1.0.2h 3 May 2016
compiled with libxml2 version: 2.7.6
linked to libxml2 version: 20706
Is this a known issue?
Did we have fixed this ?
We have tried to manual correct this record ,but didn't find the right way.
We tried remove this RRSIG but get REFUSED log as below:
updating zone 'XXX/IN': update failed: explicit RRSIG updates are currently not supported in secure zones except at the apex (REFUSED)
We tried remove this NSEC3 but get REFUSED log as below:
updating zone 'XXX/IN': update failed: explicit NSEC3 updates are not allowed in secure zones (REFUSED)
How to correct this invalid record?
Could anybody give us some help? We will be very appreciate.
Thank you very much.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users