[ldns-users] ldns_verify() sometimes returnes bad value
Matthijs Mekking
matthijs at NLnetLabs.nl
Tue Apr 13 08:15:07 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Zbynek Michl,
I believe what happens in the first case is:
- - ldns sees a bogus signature. It will mark this as the resulting return
value.
- - The other keys will not update the resulting return value, unless the
key verifies the signature.
In the second case:
- - ldns sees a key that does not match the signature. It will mark the
resulting return value as not matching.
- - The other keys will not update the resulting return value, unless the
key verifies the signature.
So, the first encountered error is remembered. I think we should update
the return value if:
- - No matching key was found prior to this key.
- - This key verifies the signature.
I have updated the trunk. Could you try r3227 and see if this works for you?
Best regards,
Matthijs
Zbynek Michl wrote:
> Hi there,
>
> there is probably a bug in ldns_verify() or in its subfunction. Here is
> a brief code sample:
>
> --- CODE ---
> p = ldns_resolver_query(res,
> ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME,
> "www.rhybar.cz"),
> LDNS_RR_TYPE_A,
> LDNS_RR_CLASS_IN,
> LDNS_RD);
> p2 = ldns_resolver_query(res,
> ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME,
> "www.rhybar.cz"),
> LDNS_RR_TYPE_RRSIG,
> LDNS_RR_CLASS_IN,
> LDNS_RD);
> p3 = ldns_resolver_query(res,
> ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME,
> "rhybar.cz"),
> LDNS_RR_TYPE_DNSKEY,
> LDNS_RR_CLASS_IN,
> LDNS_RD);
> if (!p || !p2 || !p3) {
> exit(EXIT_FAILURE);
> } else {
> a = ldns_pkt_rr_list_by_type(p,
> LDNS_RR_TYPE_A,
> LDNS_SECTION_ANSWER);
> rrsig = ldns_pkt_rr_list_by_type(p2,
> LDNS_RR_TYPE_RRSIG,
> LDNS_SECTION_ANSWER);
> dnskey = ldns_pkt_rr_list_by_type(p3,
> LDNS_RR_TYPE_DNSKEY,
> LDNS_SECTION_ANSWER);
> if (!a || !rrsig || !dnskey) {
> exit(EXIT_FAILURE);
> } else {
> ldns_rr_list_print(stdout, a);
> ldns_rr_list_print(stdout, rrsig);
> ldns_rr_list_print(stdout, dnskey);
> s = ldns_verify(a, rrsig, dnskey, goodkey);
> printf("ldns_verify() result: %s\n", ldns_get_errorstr_by_id(s));
> }
> }
> --- /CODE ---
>
>
> Here are an different outputs when using non-validating resolver:
>
> --- OUTPUT1 ---
> www.rhybar.cz. 248 IN A 217.31.205.50
> www.rhybar.cz. 248 IN RRSIG A 5 3 600 20081030080058
> 20080930080058 5172 rhybar.cz.
> XVkut4l9mw2MhodZFIOD2L57AU2u+I6wGVlK1fr6w5locFC5NIe8ukw79jYdOCH3WwFgSMscumIz1sGqRPrN/CrhXiU0ymFGFju9x/k10lv6SGS6lslgnZluet04CyibGQ2HBnwTx7qK3j+bNzxKLvjpn7DY9f+YKB8F2FtwNOc=
> ;{id = 5172}
> rhybar.cz. 248 IN DNSKEY 256 3 5
> AwEAAcrTMVXwOcFCGKtXwdt4XATP43qU96IryyqiZ0oPtuHEEBCikuQDuJhRjNAV4DYvR6fb/suAnd91EVNgHHTXUlAWwmJRrqIwZ6VuGaZqVG+NJh1Okif7CL8no2Z47j6I3HH3pyzrYH2oQVyr64O/8BV2jrk8RteeEqa7V7gcrFfJ
> ;{id = 5172 (zsk), size = 1024b}
> rhybar.cz. 248 IN DNSKEY 257 3 5
> AwEAAeKle4K3bxJb4k9sMhdm6BmpRK2rISAGh0egMSXgOlQnU+3TLQ0aH1th7ejZnn6Zdkeo8MRXDxLkgp1rUSsRM1Q2SmLJhaat7L15qHmj+vCk5IuSIpAdaRsqOKxHlT6a/LWGwGvDIVxY6J9sXaJ4SInflZpa5wZUCrhDKvpo0hAzNfoK/aFApzZGaAGALYx6YpbG+SBW2K+s92eyoJCCrQQ+Nata41l7K6RFAYjP+g3Kp95McNm3xlBve171u9FUZNUuN2Rn25oEtHHlK9NcHNqWvFJ3VmXcA6CkGrBPV6vOAwwUtPDSWSZbdolS69092ZWYTlOJw6g0LVI2feMMrok=
> ;{id = 44566 (ksk), size = 2048b}
> rhybar.cz. 248 IN DNSKEY 256 3 5
> AwEAAb/riVUjNfP1to3wkJyul0MjwiPojFgFmMiLj1KIKeVIYCIRNx01Q1we5M17GQFInCXXyTyjCYJfwkL0Xe7ma6m2pHfEMkOiDl42rsgrmkShxPEvZMd5vpT+RyQWQh26TJ42MRoCJSt6XNeFLXRyjfRcDt7ZxYD3bHNeyaDuUUGt
> ;{id = 34392 (zsk), size = 1024b}
> ldns_verify() result: Bogus DNSSEC signature
> --- /OUTPUT1 ---
>
> --- OUTPUT2 ---
> www.rhybar.cz. 321 IN A 217.31.205.50
> www.rhybar.cz. 321 IN RRSIG A 5 3 600 20081030080058
> 20080930080058 5172 rhybar.cz.
> XVkut4l9mw2MhodZFIOD2L57AU2u+I6wGVlK1fr6w5locFC5NIe8ukw79jYdOCH3WwFgSMscumIz1sGqRPrN/CrhXiU0ymFGFju9x/k10lv6SGS6lslgnZluet04CyibGQ2HBnwTx7qK3j+bNzxKLvjpn7DY9f+YKB8F2FtwNOc=
> ;{id = 5172}
> rhybar.cz. 321 IN DNSKEY 257 3 5
> AwEAAeKle4K3bxJb4k9sMhdm6BmpRK2rISAGh0egMSXgOlQnU+3TLQ0aH1th7ejZnn6Zdkeo8MRXDxLkgp1rUSsRM1Q2SmLJhaat7L15qHmj+vCk5IuSIpAdaRsqOKxHlT6a/LWGwGvDIVxY6J9sXaJ4SInflZpa5wZUCrhDKvpo0hAzNfoK/aFApzZGaAGALYx6YpbG+SBW2K+s92eyoJCCrQQ+Nata41l7K6RFAYjP+g3Kp95McNm3xlBve171u9FUZNUuN2Rn25oEtHHlK9NcHNqWvFJ3VmXcA6CkGrBPV6vOAwwUtPDSWSZbdolS69092ZWYTlOJw6g0LVI2feMMrok=
> ;{id = 44566 (ksk), size = 2048b}
> rhybar.cz. 321 IN DNSKEY 256 3 5
> AwEAAb/riVUjNfP1to3wkJyul0MjwiPojFgFmMiLj1KIKeVIYCIRNx01Q1we5M17GQFInCXXyTyjCYJfwkL0Xe7ma6m2pHfEMkOiDl42rsgrmkShxPEvZMd5vpT+RyQWQh26TJ42MRoCJSt6XNeFLXRyjfRcDt7ZxYD3bHNeyaDuUUGt
> ;{id = 34392 (zsk), size = 1024b}
> rhybar.cz. 321 IN DNSKEY 256 3 5
> AwEAAcrTMVXwOcFCGKtXwdt4XATP43qU96IryyqiZ0oPtuHEEBCikuQDuJhRjNAV4DYvR6fb/suAnd91EVNgHHTXUlAWwmJRrqIwZ6VuGaZqVG+NJh1Okif7CL8no2Z47j6I3HH3pyzrYH2oQVyr64O/8BV2jrk8RteeEqa7V7gcrFfJ
> ;{id = 5172 (zsk), size = 1024b}
> ldns_verify() result: No keys with the keytag and algorithm from the
> RRSIG found
> --- /OUTPUT2 ---
>
> It seems if the zsk is on the first place in dnskey list, ldns_verify()
> finds it correctly (domain name www.rhybar.cz really has bogus
> signature), but if the zsk is on the another place, ldns_verify() gets
> into a trouble with finding that key.
>
>
> Cheers,
> Zbynek
> _______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBAgAGBQJLxCgEAAoJEA8yVCPsQCW5tdIIAN0h+UgmARtRWaOtin2UI+yy
O0ckA36vdb2VZS2hd0QamELfF0jcUoAMAoTiScXVfyVtiWmTwv52Xj2MDgBPAFWo
OFv//gLn9YlEhDCsk1xQ/WrTe/jLsWFiZhCrIiGqKHrAEbijX2nKUnY0LvqZ+lWO
kIBBwSIfw47W41Em1Ru9+mf/MezueD/KFRaFzhZPeAuaxqNApd8N5p65RXEIcGn3
sROXeaZRpbmiGWntX3k4vKgvd7haZA7mFtuHHy4R3q8lFciavo3w/WcAwH8qmh4b
PTKb/2PHoiZqEjDwNOibc8x8+L0ZgIjyO6Z1oAyc0NGzLsuMs83X9ErhQGXkJN0=
=m7CD
-----END PGP SIGNATURE-----
More information about the ldns-users
mailing list