[ldns-users] ldns-verify-zone and double signature

Willem Toorop willem at nlnetlabs.nl
Mon Apr 10 09:18:13 UTC 2017


Acknowledged.  This is clearly a bug.  I've just committed a fix on the
develop branch:


Thanks for reporting!

-- Willem

Op 29-03-17 om 17:20 schreef Emil Natan:
> Hello,
> ldns-verify-zone is one of the tools I use to verify freshly signed
> zonefiles. Since my "signer" machine does not have access to the real
> world I provide ldns-verify-zone with the signed zonefile and DS record
> like this:
> ldns-verify-zone -S -k Ktest.org.+008+57589.ds test.zone.signed
> When the zonefile is signed with a single ZSK and single KSK there are
> no complaints.
> When the zonefile is signed with single ZSK and two KSKs (as during KSK
> rollover, both KSKs are added to the zone and the DNSKEY RRset is signed
> by both KSKs), the above command fails with:
> # ldns-verify-zone -S -k Ktest.org.+008+57589.ds test.zone.signed
> Error: No keys with the keytag and algorithm from the RRSIG found for
> test.org <http://test.org>. DNSKEY
> There were errors in the zone
> Just for testing I tried to provide the DSes for both KSKs and no errors
> were emitted.
> # ldns-verify-zone -k Ktest.org.+008+57589.ds -k Ktest.org.+008+34735.ds
> test.zone.signed
> Zone is verified and complete
> That's never real world scenario since there is only single DS in the
> parent zone during a KSK rollover, first it's the DS generated for the
> initial key, then it's replaced with the DS for the successor key.
> The issue is easy to reproduce, generate 3 keys, 1 ZSK and 2 KSK, sign
> the zone with one ZSK and both KSK, then run ldns-verify-zone with a
> single DS file.
> The same happens with and without the "-S" flag.
> Emil
> _______________________________________________
> ldns-users mailing list
> ldns-users at nlnetlabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/ldns-users

More information about the ldns-users mailing list