[dns-operations] [DNSSEC] Bogus signature on secure.registry.be ?

Thomas Dupas thomas at dupas.be
Fri Dec 23 14:17:30 UTC 2011


Hi Laurent,

for the sake of full disclosure I'll answer on-list, I'm part of the .be staff.
It wasn't the signature that was expired, because opposed to what Olaf Gudmundsson said it's the first field which is the expiration date, not the second (that's the inception/creation date).

It was an error with a ZSK key invalidating the trust chain.
The ZSK which we used before the previous rolloverwas removed mid December from the zone, long after it wasn't used for signing anymore.
But a symlink to the ZSK was still present on disk, and had a delete time of end December which made it still a "valid/current" ZSK.

Bind chose to re-add that ZSK as a DNSKEY yesterday during an internal rekeying event, but apart from rollover windows it has no access to the KSK for security reasons, thus invalidating the DNSKEY rrset signature since it couldn't create a new signature.
we manually removed the DNSKEY and symlink to restore the DNSKEY rrset signature

Br,

Thomas Dupas
________________________________________
Van: dns-operations-bounces at lists.dns-oarc.net [dns-operations-bounces at lists.dns-oarc.net] namens Olafur Gudmundsson [ogud at ogud.com]
Verzonden: donderdag 22 december 2011 16:16
Aan: Laurent Bauer
CC: dns-operations at mail.dns-oarc.net
Onderwerp: Re: [dns-operations] [DNSSEC] Bogus signature on secure.registry.be ?

On 22/12/2011 09:56, Laurent Bauer wrote:
> Hello,
>
> I can no longer resolve 'secure.registry.be', my validating resolver
> (bind 9.7.3) returns SERVFAIL :
>

Signatures have expired
see this snipet:
RRSIG NSEC3 8 3 600 20120101141318 20111222135733
the last value is the expiration time in UTZ
so the signatures expired about an hour ago.

        Olafur


> ;<<>>  DiG 9.7.1-P2<<>>  secure.registry.be
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32204
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;<<>>  DiG 9.7.1-P2<<>>  secure.registry.be +cd
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24524
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 4
>
> According to dnsviz, it has a bogus signature :
>    http://dnsviz.net/d/secure.registry.be/dnssec/
>
> I am not quite familiar with DNSSEC debugging yet, but I could not find
> any problem (with dig/drill) neither in the trust chain, nor any expired
> signature.
> As far as I know, my resolver might as well have its cache poisoned,
> though I flushed it an retried before posting this.
>
> Can anyone confirm the problem ?
> If so, does anyone have a contact with a DNS administrator at DnsBe ?
>
> Thanks
>
>       Laurent Bauer
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
>
>

_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs



More information about the dns-operations mailing list