Error to validate the signature of a SIG(0) transaction...
Manuel Gil Perez
manuel at dif.um.es
Thu Dec 30 19:29:36 UTC 2004
Hi everyone,
I would like to use SIG(0) as mechanism to publish certificates into my DNS
server of secure way using DNS dynamic update (note: I'm using the last
version of BIND, 9.3.0). For this, I create a new DNS message and generate
the SIG(0) transaction signature which it is added to the message.
The request I send to the DNS server is the following:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 63187
;; flags: ; qd: 1 an: 0 au: 1 ad: 1
;; ZONE:
;; dnssec.zone.org., type = SOA, class = IN
;; PREREQUISITES: <empty>
;; UPDATE RECORDS:
testsig0.dnssec.zone.org. 3600 IN CERT 1 378 1 <cert in PEM format>
;; ADDITIONAL RECORDS:
. 0 ANY SIG TYPE0 1 1 0 20041230190407 20041230185907 58596 dnssec.zone.org.
<signature of the request>
The request is generated and sent successfully but I obtain a SERVFAIL from
the server:
;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id: 63187
;; flags: qr ; qd: 0 an: 0 au: 0 ad: 0
;; ZONE: <empty>
;; PREREQUISITES: <empty>
;; UPDATE RECORDS: <empty>
;; ADDITIONAL RECORDS: <empty>
Reviewing the log files the server returns the following error: <<request
has invalid signature: not verified yet (NOERROR)>>.
Is BIND qualified to verify SIG(0) signatures?? Doing the same process but
using TSIG, DNS server verifies the signatures perfectly.
Thanks... and regards,
------
Manuel Gil Pérez
More information about the bind-users
mailing list