From shlyoko at gmail.com Tue Mar 4 16:15:20 2014 From: shlyoko at gmail.com (Emil Natan) Date: Tue, 4 Mar 2014 18:15:20 +0200 Subject: [ldns-users] ldns-read-zone -s does not strip DNSKEY Message-ID: Hello, ldns-version: 1.6.17 "ldns-read-zone -s" does not strip the DNSKEY RRs, although the manual states: "Strip DNSSEC data from the zone. This option skips every record that is of type NSEC, NSEC3, RRSIG or DNSKEY." Tried with multiple zones with the same result. All other DNSSEC specific records are omitted in the output. Thanks. ena -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at nohats.ca Tue Mar 4 16:28:45 2014 From: paul at nohats.ca (Paul Wouters) Date: Tue, 4 Mar 2014 11:28:45 -0500 (EST) Subject: [ldns-users] ldns-read-zone -s does not strip DNSKEY In-Reply-To: References: Message-ID: On Tue, 4 Mar 2014, Emil Natan wrote: > "ldns-read-zone -s" does not strip the DNSKEY RRs, although the manual states:? > "Strip DNSSEC data from the zone. This option skips every record that is of type NSEC, NSEC3, RRSIG or DNSKEY." Tried with multiple > zones with the same result. All other DNSSEC specific records are omitted in the output. That's a bug in the man page? DS and DNSKEY Resource Records is zone data. The point of the -s option is to take a signed zone, and get rid of the _signing_ records so it turns it into an unsigned zone. So DS and DNSKEY should not be stripped. I can see how someone might want to remove DNSKEY's, but than that should probably be a different option. Paul From shlyoko at gmail.com Tue Mar 4 16:44:24 2014 From: shlyoko at gmail.com (Emil Natan) Date: Tue, 4 Mar 2014 18:44:24 +0200 Subject: [ldns-users] ldns-read-zone -s does not strip DNSKEY In-Reply-To: References: Message-ID: On Tue, Mar 4, 2014 at 6:28 PM, Paul Wouters wrote: > On Tue, 4 Mar 2014, Emil Natan wrote: > > "ldns-read-zone -s" does not strip the DNSKEY RRs, although the manual >> states: >> "Strip DNSSEC data from the zone. This option skips every record that is >> of type NSEC, NSEC3, RRSIG or DNSKEY." Tried with multiple >> zones with the same result. All other DNSSEC specific records are omitted >> in the output. >> > > That's a bug in the man page? > > DS and DNSKEY Resource Records is zone data. The point of the -s option > is to take a signed zone, and get rid of the _signing_ records so it > turns it into an unsigned zone. So DS and DNSKEY should not be stripped. > > I can see how someone might want to remove DNSKEY's, but than that > should probably be a different option. > > Paul > Agree. Though it should be really nice to have that option because when using OpenDNSSEC or BIND's Smart signing the DNSKEY in not a part of the unsigned zone and that can be useful when comparing the signed and unsigned zones. ena -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at nohats.ca Tue Mar 4 17:16:01 2014 From: paul at nohats.ca (Paul Wouters) Date: Tue, 4 Mar 2014 12:16:01 -0500 (EST) Subject: [ldns-users] ldns-read-zone -s does not strip DNSKEY In-Reply-To: References:

Message-ID: On Tue, 4 Mar 2014, Emil Natan wrote: > Agree. Though it should be really nice to have that option because when using OpenDNSSEC or BIND's Smart signing the DNSKEY in not a > part of the unsigned zone and that can be useful when comparing the signed and unsigned zones. but didnt you have a signed zone? Or rather two signed zones to compare? And in case you were not aware, for doing to ods+bind combo signer, we added -0 to ldns-read-zone: Print a (null) for the RRSIG inception, expiry and key data. This option can be used when comparing different signing systems that use the same DNSKEYs for signing but would have a slightly different timings/jitter. Paul From shlyoko at gmail.com Tue Mar 4 17:28:52 2014 From: shlyoko at gmail.com (Emil Natan) Date: Tue, 4 Mar 2014 19:28:52 +0200 Subject: [ldns-users] ldns-read-zone -s does not strip DNSKEY In-Reply-To: References:

Message-ID: Sorry, I should have said "comparing the unsigned and signed version of a zone". I'm trying to compare the non-DNSSEC data for a zone before and after signing. At the end I finished with a long grep that strips the DNSSEC data. Thanks. ena On Tue, Mar 4, 2014 at 7:16 PM, Paul Wouters wrote: > On Tue, 4 Mar 2014, Emil Natan wrote: > > Agree. Though it should be really nice to have that option because when >> using OpenDNSSEC or BIND's Smart signing the DNSKEY in not a >> part of the unsigned zone and that can be useful when comparing the >> signed and unsigned zones. >> > > but didnt you have a signed zone? Or rather two signed zones to compare? > > And in case you were not aware, for doing to ods+bind combo signer, we > added -0 to ldns-read-zone: > > Print a (null) for the RRSIG inception, expiry and key data. This > option > can be used when comparing different signing systems that use the > same > DNSKEYs for signing but would have a slightly different > timings/jitter. > > > Paul > -------------- next part -------------- An HTML attachment was scrubbed... URL: From shlyoko at gmail.com Tue Mar 4 17:37:32 2014 From: shlyoko at gmail.com (Emil Natan) Date: Tue, 4 Mar 2014 19:37:32 +0200 Subject: [ldns-users] ldns-read-zone -s does not strip DNSKEY In-Reply-To: References:

Message-ID: ... on that matter, it would be nice if ldns-compare-zones can provide different exit status when the compared zones share identical data and when they differ (currently the exist status is always 0). Instead I used ldns-read-zone to sort and canonicalize the data, stripped the DNSSEC data using "grep" and "diff" to compare the files. Thanks again. ena On Tue, Mar 4, 2014 at 7:28 PM, Emil Natan wrote: > Sorry, I should have said "comparing the unsigned and signed version of a > zone". I'm trying to compare the non-DNSSEC data for a zone before and > after signing. At the end I finished with a long grep that strips the > DNSSEC data. Thanks. > > ena > > > On Tue, Mar 4, 2014 at 7:16 PM, Paul Wouters wrote: > >> On Tue, 4 Mar 2014, Emil Natan wrote: >> >> Agree. Though it should be really nice to have that option because when >>> using OpenDNSSEC or BIND's Smart signing the DNSKEY in not a >>> part of the unsigned zone and that can be useful when comparing the >>> signed and unsigned zones. >>> >> >> but didnt you have a signed zone? Or rather two signed zones to compare? >> >> And in case you were not aware, for doing to ods+bind combo signer, we >> added -0 to ldns-read-zone: >> >> Print a (null) for the RRSIG inception, expiry and key data. This >> option >> can be used when comparing different signing systems that use the >> same >> DNSKEYs for signing but would have a slightly different >> timings/jitter. >> >> >> Paul >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From willem at nlnetlabs.nl Tue Mar 4 22:12:29 2014 From: willem at nlnetlabs.nl (Willem Toorop) Date: Tue, 04 Mar 2014 23:12:29 +0100 Subject: [ldns-users] ldns-read-zone -s does not strip DNSKEY In-Reply-To: References:

Message-ID: <53164FCD.6040004@nlnetlabs.nl> op 04-03-14 18:37, Emil Natan schreef: > ... on that matter, it would be nice if ldns-compare-zones can provide > different exit status when the compared zones share identical data and > when they differ (currently the exist status is always 0). Hi Emil, This is now implemented in the development branch of the git repository: http://git.nlnetlabs.nl/ldns/commit/?h=develop&id=3a31a8b1 (with the -e option) Cheers, -- Willem From willem at nlnetlabs.nl Tue Mar 4 22:17:59 2014 From: willem at nlnetlabs.nl (Willem Toorop) Date: Tue, 04 Mar 2014 23:17:59 +0100 Subject: [ldns-users] ldns-read-zone -s does not strip DNSKEY In-Reply-To: References: Message-ID: <53165117.5060507@nlnetlabs.nl> op 04-03-14 17:28, Paul Wouters schreef: > On Tue, 4 Mar 2014, Emil Natan wrote: > >> "ldns-read-zone -s" does not strip the DNSKEY RRs, although the manual >> states: >> "Strip DNSSEC data from the zone. This option skips every record that >> is of type NSEC, NSEC3, RRSIG or DNSKEY." > > That's a bug in the man page? > I can see how someone might want to remove DNSKEY's, but than that > should probably be a different option. As of commit http://git.nlnetlabs.nl/ldns/commit/?h=develop&id=2e824311 this is fixed in the man page and ldns-read-zone has extra options to exclude (or include) certain RR types. To strip all NSEC, NSEC3, RRSIG *and* DNSKEY RRs, one can now do ldns-read-zone -s -e DNSKEY which is equivalent with: ldns-read-zone -e NSEC -e NSEC3 -e RRSIG -e DNSKEY -- Willem From shlyoko at gmail.com Wed Mar 5 07:23:31 2014 From: shlyoko at gmail.com (Emil Natan) Date: Wed, 5 Mar 2014 09:23:31 +0200 Subject: [ldns-users] ldns-read-zone -s does not strip DNSKEY In-Reply-To: <53165117.5060507@nlnetlabs.nl> References: <53165117.5060507@nlnetlabs.nl> Message-ID: Hi Willem, Thank you very much for both updates. I presume "-e" stands once for "exit" and once for "exclude", but I want to believe it actually stands for "Emil" ;-) ena On Wed, Mar 5, 2014 at 12:17 AM, Willem Toorop wrote: > op 04-03-14 17:28, Paul Wouters schreef: > > On Tue, 4 Mar 2014, Emil Natan wrote: > > > >> "ldns-read-zone -s" does not strip the DNSKEY RRs, although the manual > >> states: > >> "Strip DNSSEC data from the zone. This option skips every record that > >> is of type NSEC, NSEC3, RRSIG or DNSKEY." > > > > That's a bug in the man page? > > > I can see how someone might want to remove DNSKEY's, but than that > > should probably be a different option. > > As of commit http://git.nlnetlabs.nl/ldns/commit/?h=develop&id=2e824311 > this is fixed in the man page and ldns-read-zone has extra options to > exclude (or include) certain RR types. > > To strip all NSEC, NSEC3, RRSIG *and* DNSKEY RRs, one can now do > > ldns-read-zone -s -e DNSKEY > > which is equivalent with: > > ldns-read-zone -e NSEC -e NSEC3 -e RRSIG -e DNSKEY > > -- Willem > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From fedick at denic.de Wed Mar 12 15:16:54 2014 From: fedick at denic.de (Patrick Fedick) Date: Wed, 12 Mar 2014 16:16:54 +0100 Subject: [ldns-users] Zone signing problem with DSA keys Message-ID: <53207A66.4010303@denic.de> Hello, I have a testsuite, which basically generates DNSKEYs, signs a small zone with them and then verifies the signed zone. This is done with different algorithms, keysizes and other variations. The testsuite is written in C++ using the ldns library (ldns version 1.6.17, openssl 1.0.1e, CentOS 6.5 or Ubuntu 12.04). The code is based on ldns-keygen, ldns-signzone and ldns-verify-zone. It is expected that none of these tests fail, but in practice some of them do fail with the error "Bogus DNSSEC signature for xxxxxx. DNSKEY" or other RR. It seems the tests only fail when using DSA or DSA-NSEC3-SHA1 keys (I've not tested ECDSA). Keysize doesn't matter. To exclude an error in my code, I've written a small shell script, which only uses the tools ldns-keygen, ldns-signzone and ldns-verify-zone and I could reproduce the problem. The script is doing the following steps in a loop a 1000 times: 1. Generate ZSK with "ldns-keygen -a DSA -b 1024 -r /dev/urandom test.de" 2. Append DNSKEY RR to a testzone, which only consists of the SOA and two NS RR 3. Sign zone with: ldns-signzone -o test.de -n db.test.de $ZSK_KEYNAME 5. Verify zone with: ldns-verify-zone db.test.de.signed There are no errors detected in ldns-keygen and ldns-signzone, but ldns-verify-zone randomly reports bogus signatures. I've also tested what happens, when using always the same key for signing. I can see that the RRSIG records change in each iteration (probably a random component), but when using a ZSK which worked before, ldns-verify-zone always succeeds and when using a ZSK which failed before, verification always fails. I believe there is something wrong in the DSA key generation, but it could also be a bug in the signing process. I'm unable to track this issue down any further. I have attached an archive which contains my demo script as well as a "good key" and a "bad key". The script creates a "tmp" folder in the current directory and expects the ldns-tools in the PATH and needs /bin/bash. It would be nice, if someone could confirm, if this is a bug in ldns (or openssl?) or if I'm doing something completely wrong. Best regards, Gruss, Patrick Fedick -- Patrick Fedick IT-Services DENIC eG Kaiserstra?e 75-77 60329 Frankfurt am Main GERMANY E-Mail: fedick at denic.de Fon: +49 69 27235-403 Fax: +49 69 27235-239 http://www.denic.de Angaben nach ? 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main) Vorstand: Helga Kr?ger, Carsten Schiefner, Dr. J?rg Schweiger Vorsitzender des Aufsichtsrats: Thomas Keller Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main -------------- next part -------------- A non-text attachment was scrubbed... Name: demo.tar.gz Type: application/x-gzip Size: 2862 bytes Desc: not available URL: From willem at nlnetlabs.nl Fri Mar 14 10:24:58 2014 From: willem at nlnetlabs.nl (Willem Toorop) Date: Fri, 14 Mar 2014 11:24:58 +0100 Subject: [ldns-users] Zone signing problem with DSA keys In-Reply-To: <53207A66.4010303@denic.de> References: <53207A66.4010303@denic.de> Message-ID: <5322D8FA.5010402@nlnetlabs.nl> Hi Patrick, You probably already know, but your colleague Peter Koch has beaten me to it and has found and solved the issue. It is committed on the developers branch. http://git.nlnetlabs.nl/ldns/commit/?h=develop&id=1063b441 Thank you for finding and reporting this not so easily to pin point but serious bug. Much appreciated! -- Willem op 12-03-14 16:16, Patrick Fedick schreef: > Hello, > > I have a testsuite, which basically generates DNSKEYs, signs a small zone with them and then verifies the signed zone. This is done with different algorithms, keysizes and other variations. The testsuite is written in C++ using the ldns library (ldns version 1.6.17, openssl 1.0.1e, CentOS 6.5 or Ubuntu 12.04). The code is based on ldns-keygen, ldns-signzone and ldns-verify-zone. > > It is expected that none of these tests fail, but in practice some of them do fail with the error "Bogus DNSSEC signature for xxxxxx. DNSKEY" or other RR. > > It seems the tests only fail when using DSA or DSA-NSEC3-SHA1 keys (I've not tested ECDSA). Keysize doesn't matter. To exclude an error in my code, I've written a small shell script, which only uses the tools ldns-keygen, ldns-signzone and ldns-verify-zone and I could reproduce the problem. > > The script is doing the following steps in a loop a 1000 times: > 1. Generate ZSK with "ldns-keygen -a DSA -b 1024 -r /dev/urandom test.de" > 2. Append DNSKEY RR to a testzone, which only consists of the SOA and two NS RR > 3. Sign zone with: ldns-signzone -o test.de -n db.test.de $ZSK_KEYNAME > 5. Verify zone with: ldns-verify-zone db.test.de.signed > > There are no errors detected in ldns-keygen and ldns-signzone, but ldns-verify-zone randomly reports bogus signatures. > > I've also tested what happens, when using always the same key for signing. I can see that the RRSIG records change in each iteration (probably a random component), but when using a ZSK which worked before, ldns-verify-zone always succeeds and when using a ZSK which failed before, verification always fails. I believe there is something wrong in the DSA key generation, but it could also be a bug in the signing process. I'm unable to track this issue down any further. > > I have attached an archive which contains my demo script as well as a "good key" and a "bad key". The script creates a "tmp" folder in the current directory and expects the ldns-tools in the PATH and needs /bin/bash. > > It would be nice, if someone could confirm, if this is a bug in ldns (or openssl?) or if I'm doing something completely wrong. > > Best regards, > > Gruss, > Patrick Fedick > > > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users > From fedick at denic.de Fri Mar 14 11:45:54 2014 From: fedick at denic.de (Patrick Fedick) Date: Fri, 14 Mar 2014 12:45:54 +0100 Subject: [ldns-users] Zone signing problem with DSA keys In-Reply-To: <5322D8FA.5010402@nlnetlabs.nl> References: <53207A66.4010303@denic.de> <5322D8FA.5010402@nlnetlabs.nl> Message-ID: <5322EBF2.1000907@denic.de> Hello Willem, I've applied the patch and can confirm that it solves the problem. Thanks. Best regards, Patrick Fedick Am 14.03.2014 11:24, schrieb Willem Toorop: > Hi Patrick, > > You probably already know, but your colleague Peter Koch has beaten me > to it and has found and solved the issue. It is committed on the > developers branch. > > http://git.nlnetlabs.nl/ldns/commit/?h=develop&id=1063b441 > > Thank you for finding and reporting this not so easily to pin point but > serious bug. Much appreciated! > > -- Willem > > op 12-03-14 16:16, Patrick Fedick schreef: >> Hello, >> >> I have a testsuite, which basically generates DNSKEYs, signs a small zone with them and then verifies the signed zone. This is done with different algorithms, keysizes and other variations. The testsuite is written in C++ using the ldns library (ldns version 1.6.17, openssl 1.0.1e, CentOS 6.5 or Ubuntu 12.04). The code is based on ldns-keygen, ldns-signzone and ldns-verify-zone. >> >> It is expected that none of these tests fail, but in practice some of them do fail with the error "Bogus DNSSEC signature for xxxxxx. DNSKEY" or other RR. >> >> It seems the tests only fail when using DSA or DSA-NSEC3-SHA1 keys (I've not tested ECDSA). Keysize doesn't matter. To exclude an error in my code, I've written a small shell script, which only uses the tools ldns-keygen, ldns-signzone and ldns-verify-zone and I could reproduce the problem. >> >> The script is doing the following steps in a loop a 1000 times: >> 1. Generate ZSK with "ldns-keygen -a DSA -b 1024 -r /dev/urandom test.de" >> 2. Append DNSKEY RR to a testzone, which only consists of the SOA and two NS RR >> 3. Sign zone with: ldns-signzone -o test.de -n db.test.de $ZSK_KEYNAME >> 5. Verify zone with: ldns-verify-zone db.test.de.signed >> >> There are no errors detected in ldns-keygen and ldns-signzone, but ldns-verify-zone randomly reports bogus signatures. >> >> I've also tested what happens, when using always the same key for signing. I can see that the RRSIG records change in each iteration (probably a random component), but when using a ZSK which worked before, ldns-verify-zone always succeeds and when using a ZSK which failed before, verification always fails. I believe there is something wrong in the DSA key generation, but it could also be a bug in the signing process. I'm unable to track this issue down any further. >> >> I have attached an archive which contains my demo script as well as a "good key" and a "bad key". The script creates a "tmp" folder in the current directory and expects the ldns-tools in the PATH and needs /bin/bash. >> >> It would be nice, if someone could confirm, if this is a bug in ldns (or openssl?) or if I'm doing something completely wrong. >> >> Best regards, >> >> Gruss, >> Patrick Fedick >> >> >> >> _______________________________________________ >> ldns-users mailing list >> ldns-users at open.nlnetlabs.nl >> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users >> > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users > From thozza at redhat.com Tue Mar 18 14:26:51 2014 From: thozza at redhat.com (Tomas Hozza) Date: Tue, 18 Mar 2014 10:26:51 -0400 (EDT) Subject: [ldns-users] link to git repo is not working In-Reply-To: <728940557.616701.1395152737142.JavaMail.zimbra@redhat.com> Message-ID: <1130968081.617552.1395152811248.JavaMail.zimbra@redhat.com> Hi. The link to the git repository published on the project page is not working. I was also not able to pull recent changes in already cloned git repo. Regards, Tomas Hozza From Willem at NLnetLabs.nl Tue Mar 18 21:16:11 2014 From: Willem at NLnetLabs.nl (Willem Toorop) Date: Tue, 18 Mar 2014 22:16:11 +0100 Subject: [ldns-users] link to git repo is not working In-Reply-To: <1130968081.617552.1395152811248.JavaMail.zimbra@redhat.com> References: <1130968081.617552.1395152811248.JavaMail.zimbra@redhat.com> Message-ID: <5328B79B.1020201@NLnetLabs.nl> Sorry Thomas, We had a "little" outage on our jail-servers (which also host git) due to a CARP messages feedback-loop (i.e. multicast storm), when trying source-routing to seamlessly facilitate a provider migration. :( -- Willem op 18-03-14 15:26, Tomas Hozza schreef: > Hi. > > The link to the git repository published on the project page > is not working. I was also not able to pull recent changes > in already cloned git repo. > > Regards, > > Tomas Hozza > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users > -- ??ll??