[ldns-users] ldns_verify() sometimes returnes bad value

Mon Apr 12 19:07:54 UTC 2010

Hi there,

there is probably a bug in ldns_verify() or in its subfunction. Here is a brief 
code sample:

--- CODE ---
   p = ldns_resolver_query(res,
                           ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME,
                                                "www.rhybar.cz"),
                           LDNS_RR_TYPE_A,
                           LDNS_RR_CLASS_IN,
                           LDNS_RD);
   p2 = ldns_resolver_query(res,
                            ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME,
                                                 "www.rhybar.cz"),
                            LDNS_RR_TYPE_RRSIG,
                            LDNS_RR_CLASS_IN,
                            LDNS_RD);
   p3 = ldns_resolver_query(res,
                            ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME,
                                                 "rhybar.cz"),
                            LDNS_RR_TYPE_DNSKEY,
                            LDNS_RR_CLASS_IN,
                            LDNS_RD);
   if (!p || !p2 || !p3)  {
     exit(EXIT_FAILURE);
   } else {
     a = ldns_pkt_rr_list_by_type(p,
                                  LDNS_RR_TYPE_A,
                                  LDNS_SECTION_ANSWER);
     rrsig = ldns_pkt_rr_list_by_type(p2,
                                      LDNS_RR_TYPE_RRSIG,
                                      LDNS_SECTION_ANSWER);
     dnskey = ldns_pkt_rr_list_by_type(p3,
                                       LDNS_RR_TYPE_DNSKEY,
                                       LDNS_SECTION_ANSWER);
     if (!a || !rrsig || !dnskey) {
       exit(EXIT_FAILURE);
     } else {
       ldns_rr_list_print(stdout, a);
       ldns_rr_list_print(stdout, rrsig);
       ldns_rr_list_print(stdout, dnskey);
       s = ldns_verify(a, rrsig, dnskey, goodkey);
       printf("ldns_verify() result: %s\n", ldns_get_errorstr_by_id(s));
     }
   }
--- /CODE ---

Here are an different outputs when using non-validating resolver:

--- OUTPUT1 ---
www.rhybar.cz.	248	IN	A	217.31.205.50
www.rhybar.cz.	248	IN	RRSIG	A 5 3 600 20081030080058 20080930080058 5172 
rhybar.cz. 
XVkut4l9mw2MhodZFIOD2L57AU2u+I6wGVlK1fr6w5locFC5NIe8ukw79jYdOCH3WwFgSMscumIz1sGqRPrN/CrhXiU0ymFGFju9x/k10lv6SGS6lslgnZluet04CyibGQ2HBnwTx7qK3j+bNzxKLvjpn7DY9f+YKB8F2FtwNOc= 
;{id = 5172}
rhybar.cz.	248	IN	DNSKEY	256 3 5 
AwEAAcrTMVXwOcFCGKtXwdt4XATP43qU96IryyqiZ0oPtuHEEBCikuQDuJhRjNAV4DYvR6fb/suAnd91EVNgHHTXUlAWwmJRrqIwZ6VuGaZqVG+NJh1Okif7CL8no2Z47j6I3HH3pyzrYH2oQVyr64O/8BV2jrk8RteeEqa7V7gcrFfJ 
;{id = 5172 (zsk), size = 1024b}
rhybar.cz.	248	IN	DNSKEY	257 3 5 
AwEAAeKle4K3bxJb4k9sMhdm6BmpRK2rISAGh0egMSXgOlQnU+3TLQ0aH1th7ejZnn6Zdkeo8MRXDxLkgp1rUSsRM1Q2SmLJhaat7L15qHmj+vCk5IuSIpAdaRsqOKxHlT6a/LWGwGvDIVxY6J9sXaJ4SInflZpa5wZUCrhDKvpo0hAzNfoK/aFApzZGaAGALYx6YpbG+SBW2K+s92eyoJCCrQQ+Nata41l7K6RFAYjP+g3Kp95McNm3xlBve171u9FUZNUuN2Rn25oEtHHlK9NcHNqWvFJ3VmXcA6CkGrBPV6vOAwwUtPDSWSZbdolS69092ZWYTlOJw6g0LVI2feMMrok= 
;{id = 44566 (ksk), size = 2048b}
rhybar.cz.	248	IN	DNSKEY	256 3 5 
AwEAAb/riVUjNfP1to3wkJyul0MjwiPojFgFmMiLj1KIKeVIYCIRNx01Q1we5M17GQFInCXXyTyjCYJfwkL0Xe7ma6m2pHfEMkOiDl42rsgrmkShxPEvZMd5vpT+RyQWQh26TJ42MRoCJSt6XNeFLXRyjfRcDt7ZxYD3bHNeyaDuUUGt 
;{id = 34392 (zsk), size = 1024b}
ldns_verify() result: Bogus DNSSEC signature
--- /OUTPUT1 ---

--- OUTPUT2 ---
www.rhybar.cz.	321	IN	A	217.31.205.50
www.rhybar.cz.	321	IN	RRSIG	A 5 3 600 20081030080058 20080930080058 5172 
rhybar.cz. 
XVkut4l9mw2MhodZFIOD2L57AU2u+I6wGVlK1fr6w5locFC5NIe8ukw79jYdOCH3WwFgSMscumIz1sGqRPrN/CrhXiU0ymFGFju9x/k10lv6SGS6lslgnZluet04CyibGQ2HBnwTx7qK3j+bNzxKLvjpn7DY9f+YKB8F2FtwNOc= 
;{id = 5172}
rhybar.cz.	321	IN	DNSKEY	257 3 5 
AwEAAeKle4K3bxJb4k9sMhdm6BmpRK2rISAGh0egMSXgOlQnU+3TLQ0aH1th7ejZnn6Zdkeo8MRXDxLkgp1rUSsRM1Q2SmLJhaat7L15qHmj+vCk5IuSIpAdaRsqOKxHlT6a/LWGwGvDIVxY6J9sXaJ4SInflZpa5wZUCrhDKvpo0hAzNfoK/aFApzZGaAGALYx6YpbG+SBW2K+s92eyoJCCrQQ+Nata41l7K6RFAYjP+g3Kp95McNm3xlBve171u9FUZNUuN2Rn25oEtHHlK9NcHNqWvFJ3VmXcA6CkGrBPV6vOAwwUtPDSWSZbdolS69092ZWYTlOJw6g0LVI2feMMrok= 
;{id = 44566 (ksk), size = 2048b}
rhybar.cz.	321	IN	DNSKEY	256 3 5 
AwEAAb/riVUjNfP1to3wkJyul0MjwiPojFgFmMiLj1KIKeVIYCIRNx01Q1we5M17GQFInCXXyTyjCYJfwkL0Xe7ma6m2pHfEMkOiDl42rsgrmkShxPEvZMd5vpT+RyQWQh26TJ42MRoCJSt6XNeFLXRyjfRcDt7ZxYD3bHNeyaDuUUGt 
;{id = 34392 (zsk), size = 1024b}
rhybar.cz.	321	IN	DNSKEY	256 3 5 
AwEAAcrTMVXwOcFCGKtXwdt4XATP43qU96IryyqiZ0oPtuHEEBCikuQDuJhRjNAV4DYvR6fb/suAnd91EVNgHHTXUlAWwmJRrqIwZ6VuGaZqVG+NJh1Okif7CL8no2Z47j6I3HH3pyzrYH2oQVyr64O/8BV2jrk8RteeEqa7V7gcrFfJ 
;{id = 5172 (zsk), size = 1024b}
ldns_verify() result: No keys with the keytag and algorithm from the RRSIG found
--- /OUTPUT2 ---

It seems if the zsk is on the first place in dnskey list, ldns_verify() finds it 
correctly (domain name www.rhybar.cz really has bogus signature), but if the zsk 
is on the another place, ldns_verify() gets into a trouble with finding that key.

Cheers,
Zbynek