SIG(0) "request has invalid signature: not verified yet (NOERROR)"

Ondřej Surý ondrej at isc.org
Tue Nov 5 17:55:21 UTC 2024 

Hi Malcolm,

have you tried tweaking following configuration?

.. namedconf:statement:: sig0checks-quota
   :tags: server
   :short: Specifies the maximum number of concurrent SIG(0) signature checks that can be processed by the server.

   This is the maximum number of simultaneous SIG(0)-signed messages that
   the server accepts. If the quota is reached, then :iscman:`named` answers
   with a status code of REFUSED. The value of ``0`` disables the quota. The
   default is ``1``.

.. namedconf:statement:: sig0checks-quota-exempt
   :tags: server
   :short: Exempts specific clients or client groups from SIG(0) signature checking quota.

   DNS clients can be exempted from the SIG(0) signature checking quota with the
   :any:`sig0checks-quota-exempt` clause, using their IP and/or network
   addresses. The default value is an empty list.

   Example:

   ::

       sig0checks-quota-exempt {
           10.0.0.0/8;
           2001:db8::100;
       };

If that doesn't help, I would suggest to fill an issue in our GitLab, it seems like a genuine bug.

Ondřej
--
Ondřej Surý (He/Him)
ondrej at isc.org

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 5. 11. 2024, at 17:53, Malcolm Scott <Malcolm.Scott at cl.cam.ac.uk> wrote:
> 
> On Tue, 5 Nov 2024, Malcolm Scott wrote:
> 
>> Regardless I'll try adjusting the algorithm choice in case it does make a difference.
> 
> So far I can report that using a ECDSAP384SHA384 key for the SIG(0) still encounters the same failure mode.  (For tedious reasons the client I chose to test can't do ED25519.  More experimentation ongoing.  But the problem is not specific to RSASHA512.)
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list