[ldns-users] ldns-signzone ECDSA random failure

[Matt Smith]

Hi,

I've been using Unbound, NSD, and the ldns tools for a long time now 
succesfully signing zones for DNSSEC using algorithm 8 RSA keys. I've 
never had a single issue with this. I've been experimenting with using 
algorithm 13 ECDSA keys instead and keep hitting the same issue.

Most of the time everything works as expected, the zone is signed, and 
unbound can validate it. Occasionally though I'll sign the zone and then 
notice the following failure:

Aug 17 20:23:43 tao unbound: [96007:0] info: validation failure 
<host.example.com.  A IN>: use of signature for ECDSA crypto failed from 
10.0.0.10

This will only affect maybe 1 or 2 records within the zone. Every other 
record in the zone will succesfully validate. If I resign the zone again 
then everything will either go back to normal or a different record 
might fail this time. It's completely random.

If it helps I have saved copies of the syslog, KSK and ZSK keys along 
with the original zone file and the signed zone file if anybody wants to 
examine them.

The commands I've been running are pretty standard:

ldns-keygen -a ECDSAP256SHA256 -b 256 -k example.com
ldns-keygen -a ECDSAP256SHA256 -b 256 example.com
SALT=`head -c 512 /dev/random | sha1 | cut -b 1-16`
ldns-signzone -n -t 10 -s $SALT $KSK $ZSK

-- 
Matt