[dns-operations] [outages at outages.org: [outages] DNSSEC issues .se]
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Feb 4 17:18:34 UTC 2022
On Fri, Feb 04, 2022 at 05:48:41PM +0100, Stephane Bortzmeyer wrote:
> Indeed, DNSviz seems to confirm the problem:
>
> https://dnsviz.net/d/sportbladet.se/Yf1XbQ/dnssec/
>
> The signature of the NSEC record looks strange to me:
>
> sportbladet.se. 7200 IN RRSIG NSEC 8 2 7200 (
> 20220217023427 20220204111055 30015 se.
> AAH/////////////////////////////////////////
> ////////////////////////////////////////////
> ////////////////////////////////////////////
> ////////////////////////////////////////////
> ////////////////////////////////////////////
> ////////////////////////////////////////////
> ////////ADAxMA0GCWCGSAFlAwQCAQUABCDDlM45/p82
> gs9EuWI0BODTVEgrkVM5ZrtG98oLVgefGQ== )
>
Well, it is not what should be there, but *that* strange:
$ echo 'AAH/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////ADAxMA0GCWCGSAFlAwQCAQUABCDDlM45/p82gs9EuWI0BODTVEgrkVM5ZrtG98oLVgefGQ==' |
openssl base64 -A -d |
od -tx1
0000000 00 01 ff ff ff ff ff ff ff ff ff ff ff ff ff ff
0000020 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
*
0000300 ff ff ff ff ff ff ff ff ff ff ff ff 00 30 31 30
0000320 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20
0000340 c3 94 ce 39 fe 9f 36 82 cf 44 b9 62 34 04 e0 d3
0000360 54 48 2b 91 53 39 66 bb 46 f7 ca 0b 56 07 9f 19
0000400
What we see here is the PKCS#1 padded *input* to the RSA signature
operation, rather than its signed output. Somehow the RSA private
key operation never happened. An HSM glitch? A software error?
--
Viktor.
More information about the dns-operations
mailing list