[ldns-users] ldns-verify-zone and double signature

[Emil Natan]

Hello,

ldns-verify-zone is one of the tools I use to verify freshly signed
zonefiles. Since my "signer" machine does not have access to the real world
I provide ldns-verify-zone with the signed zonefile and DS record like this:

ldns-verify-zone -S -k Ktest.org.+008+57589.ds test.zone.signed

When the zonefile is signed with a single ZSK and single KSK there are no
complaints.
When the zonefile is signed with single ZSK and two KSKs (as during KSK
rollover, both KSKs are added to the zone and the DNSKEY RRset is signed by
both KSKs), the above command fails with:

# ldns-verify-zone -S -k Ktest.org.+008+57589.ds test.zone.signed
Error: No keys with the keytag and algorithm from the RRSIG found for
test.org. DNSKEY
There were errors in the zone

Just for testing I tried to provide the DSes for both KSKs and no errors
were emitted.
# ldns-verify-zone -k Ktest.org.+008+57589.ds -k Ktest.org.+008+34735.ds
test.zone.signed
Zone is verified and complete

That's never real world scenario since there is only single DS in the
parent zone during a KSK rollover, first it's the DS generated for the
initial key, then it's replaced with the DS for the successor key.

The issue is easy to reproduce, generate 3 keys, 1 ZSK and 2 KSK, sign the
zone with one ZSK and both KSK, then run ldns-verify-zone with a single DS
file.
The same happens with and without the "-S" flag.

Emil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/ldns-users/attachments/20170329/1ea84454/attachment.htm>