[ldns-users] ldns_verify() sometimes returnes bad value
Zbynek Michl
zbynek.michl at nic.cz
Tue Apr 13 11:44:25 UTC 2010
Hi Matthijs,
it works fine with r3227. Thanks for your prompt fix! :)
Regards,
Zbynek
On 13.4.2010 10:15, Matthijs Mekking wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Zbynek Michl,
>
> I believe what happens in the first case is:
> - - ldns sees a bogus signature. It will mark this as the resulting return
> value.
> - - The other keys will not update the resulting return value, unless the
> key verifies the signature.
>
> In the second case:
> - - ldns sees a key that does not match the signature. It will mark the
> resulting return value as not matching.
> - - The other keys will not update the resulting return value, unless the
> key verifies the signature.
>
> So, the first encountered error is remembered. I think we should update
> the return value if:
> - - No matching key was found prior to this key.
> - - This key verifies the signature.
>
> I have updated the trunk. Could you try r3227 and see if this works for you?
>
>
> Best regards,
>
> Matthijs
>
>
> Zbynek Michl wrote:
>> Hi there,
>>
>> there is probably a bug in ldns_verify() or in its subfunction. Here is
>> a brief code sample:
>>
>> --- CODE ---
>> p = ldns_resolver_query(res,
>> ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME,
>> "www.rhybar.cz"),
>> LDNS_RR_TYPE_A,
>> LDNS_RR_CLASS_IN,
>> LDNS_RD);
>> p2 = ldns_resolver_query(res,
>> ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME,
>> "www.rhybar.cz"),
>> LDNS_RR_TYPE_RRSIG,
>> LDNS_RR_CLASS_IN,
>> LDNS_RD);
>> p3 = ldns_resolver_query(res,
>> ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME,
>> "rhybar.cz"),
>> LDNS_RR_TYPE_DNSKEY,
>> LDNS_RR_CLASS_IN,
>> LDNS_RD);
>> if (!p || !p2 || !p3) {
>> exit(EXIT_FAILURE);
>> } else {
>> a = ldns_pkt_rr_list_by_type(p,
>> LDNS_RR_TYPE_A,
>> LDNS_SECTION_ANSWER);
>> rrsig = ldns_pkt_rr_list_by_type(p2,
>> LDNS_RR_TYPE_RRSIG,
>> LDNS_SECTION_ANSWER);
>> dnskey = ldns_pkt_rr_list_by_type(p3,
>> LDNS_RR_TYPE_DNSKEY,
>> LDNS_SECTION_ANSWER);
>> if (!a || !rrsig || !dnskey) {
>> exit(EXIT_FAILURE);
>> } else {
>> ldns_rr_list_print(stdout, a);
>> ldns_rr_list_print(stdout, rrsig);
>> ldns_rr_list_print(stdout, dnskey);
>> s = ldns_verify(a, rrsig, dnskey, goodkey);
>> printf("ldns_verify() result: %s\n", ldns_get_errorstr_by_id(s));
>> }
>> }
>> --- /CODE ---
>>
>>
>> Here are an different outputs when using non-validating resolver:
>>
>> --- OUTPUT1 ---
>> www.rhybar.cz. 248 IN A 217.31.205.50
>> www.rhybar.cz. 248 IN RRSIG A 5 3 600 20081030080058
>> 20080930080058 5172 rhybar.cz.
>> XVkut4l9mw2MhodZFIOD2L57AU2u+I6wGVlK1fr6w5locFC5NIe8ukw79jYdOCH3WwFgSMscumIz1sGqRPrN/CrhXiU0ymFGFju9x/k10lv6SGS6lslgnZluet04CyibGQ2HBnwTx7qK3j+bNzxKLvjpn7DY9f+YKB8F2FtwNOc=
>> ;{id = 5172}
>> rhybar.cz. 248 IN DNSKEY 256 3 5
>> AwEAAcrTMVXwOcFCGKtXwdt4XATP43qU96IryyqiZ0oPtuHEEBCikuQDuJhRjNAV4DYvR6fb/suAnd91EVNgHHTXUlAWwmJRrqIwZ6VuGaZqVG+NJh1Okif7CL8no2Z47j6I3HH3pyzrYH2oQVyr64O/8BV2jrk8RteeEqa7V7gcrFfJ
>> ;{id = 5172 (zsk), size = 1024b}
>> rhybar.cz. 248 IN DNSKEY 257 3 5
>> AwEAAeKle4K3bxJb4k9sMhdm6BmpRK2rISAGh0egMSXgOlQnU+3TLQ0aH1th7ejZnn6Zdkeo8MRXDxLkgp1rUSsRM1Q2SmLJhaat7L15qHmj+vCk5IuSIpAdaRsqOKxHlT6a/LWGwGvDIVxY6J9sXaJ4SInflZpa5wZUCrhDKvpo0hAzNfoK/aFApzZGaAGALYx6YpbG+SBW2K+s92eyoJCCrQQ+Nata41l7K6RFAYjP+g3Kp95McNm3xlBve171u9FUZNUuN2Rn25oEtHHlK9NcHNqWvFJ3VmXcA6CkGrBPV6vOAwwUtPDSWSZbdolS69092ZWYTlOJw6g0LVI2feMMrok=
>> ;{id = 44566 (ksk), size = 2048b}
>> rhybar.cz. 248 IN DNSKEY 256 3 5
>> AwEAAb/riVUjNfP1to3wkJyul0MjwiPojFgFmMiLj1KIKeVIYCIRNx01Q1we5M17GQFInCXXyTyjCYJfwkL0Xe7ma6m2pHfEMkOiDl42rsgrmkShxPEvZMd5vpT+RyQWQh26TJ42MRoCJSt6XNeFLXRyjfRcDt7ZxYD3bHNeyaDuUUGt
>> ;{id = 34392 (zsk), size = 1024b}
>> ldns_verify() result: Bogus DNSSEC signature
>> --- /OUTPUT1 ---
>>
>> --- OUTPUT2 ---
>> www.rhybar.cz. 321 IN A 217.31.205.50
>> www.rhybar.cz. 321 IN RRSIG A 5 3 600 20081030080058
>> 20080930080058 5172 rhybar.cz.
>> XVkut4l9mw2MhodZFIOD2L57AU2u+I6wGVlK1fr6w5locFC5NIe8ukw79jYdOCH3WwFgSMscumIz1sGqRPrN/CrhXiU0ymFGFju9x/k10lv6SGS6lslgnZluet04CyibGQ2HBnwTx7qK3j+bNzxKLvjpn7DY9f+YKB8F2FtwNOc=
>> ;{id = 5172}
>> rhybar.cz. 321 IN DNSKEY 257 3 5
>> AwEAAeKle4K3bxJb4k9sMhdm6BmpRK2rISAGh0egMSXgOlQnU+3TLQ0aH1th7ejZnn6Zdkeo8MRXDxLkgp1rUSsRM1Q2SmLJhaat7L15qHmj+vCk5IuSIpAdaRsqOKxHlT6a/LWGwGvDIVxY6J9sXaJ4SInflZpa5wZUCrhDKvpo0hAzNfoK/aFApzZGaAGALYx6YpbG+SBW2K+s92eyoJCCrQQ+Nata41l7K6RFAYjP+g3Kp95McNm3xlBve171u9FUZNUuN2Rn25oEtHHlK9NcHNqWvFJ3VmXcA6CkGrBPV6vOAwwUtPDSWSZbdolS69092ZWYTlOJw6g0LVI2feMMrok=
>> ;{id = 44566 (ksk), size = 2048b}
>> rhybar.cz. 321 IN DNSKEY 256 3 5
>> AwEAAb/riVUjNfP1to3wkJyul0MjwiPojFgFmMiLj1KIKeVIYCIRNx01Q1we5M17GQFInCXXyTyjCYJfwkL0Xe7ma6m2pHfEMkOiDl42rsgrmkShxPEvZMd5vpT+RyQWQh26TJ42MRoCJSt6XNeFLXRyjfRcDt7ZxYD3bHNeyaDuUUGt
>> ;{id = 34392 (zsk), size = 1024b}
>> rhybar.cz. 321 IN DNSKEY 256 3 5
>> AwEAAcrTMVXwOcFCGKtXwdt4XATP43qU96IryyqiZ0oPtuHEEBCikuQDuJhRjNAV4DYvR6fb/suAnd91EVNgHHTXUlAWwmJRrqIwZ6VuGaZqVG+NJh1Okif7CL8no2Z47j6I3HH3pyzrYH2oQVyr64O/8BV2jrk8RteeEqa7V7gcrFfJ
>> ;{id = 5172 (zsk), size = 1024b}
>> ldns_verify() result: No keys with the keytag and algorithm from the
>> RRSIG found
>> --- /OUTPUT2 ---
>>
>> It seems if the zsk is on the first place in dnskey list, ldns_verify()
>> finds it correctly (domain name www.rhybar.cz really has bogus
>> signature), but if the zsk is on the another place, ldns_verify() gets
>> into a trouble with finding that key.
>>
>>
>> Cheers,
>> Zbynek
>> _______________________________________________
>> ldns-users mailing list
>> ldns-users at open.nlnetlabs.nl
>> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iQEcBAEBAgAGBQJLxCgEAAoJEA8yVCPsQCW5tdIIAN0h+UgmARtRWaOtin2UI+yy
> O0ckA36vdb2VZS2hd0QamELfF0jcUoAMAoTiScXVfyVtiWmTwv52Xj2MDgBPAFWo
> OFv//gLn9YlEhDCsk1xQ/WrTe/jLsWFiZhCrIiGqKHrAEbijX2nKUnY0LvqZ+lWO
> kIBBwSIfw47W41Em1Ru9+mf/MezueD/KFRaFzhZPeAuaxqNApd8N5p65RXEIcGn3
> sROXeaZRpbmiGWntX3k4vKgvd7haZA7mFtuHHy4R3q8lFciavo3w/WcAwH8qmh4b
> PTKb/2PHoiZqEjDwNOibc8x8+L0ZgIjyO6Z1oAyc0NGzLsuMs83X9ErhQGXkJN0=
> =m7CD
> -----END PGP SIGNATURE-----
More information about the ldns-users
mailing list