RR format error (DNSSEC related?)

Wed Aug 25 21:37:40 UTC 1999

Hi,

I'm currently looking into DNSSEC and I have setup two computers running
bind on Linux PC's. I originally used version 8.1.2 when the problem
occured. This evening I downloaded the version that was recently announced,
8.2.2 but I still experienced the same problem. It's probably a
configuration error on my part, but it's not obvious to me. That's why I'm
turning to you DNS gurus ;)

Ok, here's the deal. The servers are completely isolated from everything
else. There's just a cross-cable connecting them.

Machine A (ns.naboo.com)
    authorative for .com
    delegates two zones to machine B : lightside.com and darkside.com

Machine B (ns.sith.com)
    authoritave for lightside.com and darkside.com

Right. I've setup DNSSEC according to the dnssigner documentation and the
presentation Cricket has put on the web. Machine A holds a self-signed DSA
keypair and has used its private-key to sign machine B's zone files. This
seems to work properly, take a look for yourself:

[root at amidala named]# nslookup
Default Server:  ns.naboo.com
Address:  192.168.1.1

> maul.darkside.com
Server:  ns.naboo.com
Address:  192.168.1.1

Answer crypto-validated by server:
Name:    maul.darkside.com
Address:  192.168.1.5

However, when I start querying for NS-records, this happens:

> set type=ns
> lightside.com
Server:  ns.naboo.com
Address:  192.168.1.1

Non-authoritative answer:
lightside.com   nameserver = jedi.lightside.com

Authoritative answers can be found from:
jedi.lightside.com      internet address = 192.168.1.2
lightside.com   record type KEY, interpreted as:
?.                      1H IN KEY       0x4101 3 3 (
                At9YZu89gbCReUbjqHx7EsCwtQRlw72ItNHfflIXryMyfvz9
                ZZvdTArHzAEj6b3vQFpTswV4E+CABkr3kGY3d8w1jZLFzWRV
                9Vq2SWG+3VtSvssU3SCAZx6MFzvo4QJFqGqul30bSU5RYly9
                HVY8KieFHoG0wZ2T4wq+ZtpxmdYwh5yW3rf4hqnjenduG1Vy
                WAW/V0TlxmM3jL1zF3i06ZGg+dp/GYfFBauhM2Wc+f46VEBd
                yrcWvmOToLLcM7ot4B9jcUvLXkCGGtJcjzPWEsk+ZqW39LxI
                bXudw61P8O+2B+EIdOk1jYR+JN+DVv9STgWweryTKrrobn6f
                04rH1hAKeebZ )
lightside.com   record type SIG, interpreted as:
?.                      1H IN SIG       KEY 3 3600 \#(          ; RR format
error
        37 e9 2a 20 37 c0 4b a0 87 c6 03 63 6f 6d 00 02 ; 7.* 7.K....com..
        49 32 63 dd b2 07 65 31 67 40 e8 5d af 3c d2 13 ; I2c...e1g at .].<..
        36 44 8c 8b 13 a7 e3 e5 84 9b 51 a5 90 ed aa 6a ; 6D........Q....j
        f7 b2 f1 1f 79 9c 4c 5c )                       ; ....y.L\
>

I'm not ashamed to admit that I don't have a _clue_ as to what this means or
why this goes wrong. Like, what does the question mark mean?

This is the signed zone file from machine b for lightside.com:

; Generated by dns_signer dated April 8, 1999
$ORIGIN lightside.com.
lightside.com.    86400 IN    SOA   ns.sith.com. root.ns.sith.com. (
                               19980907 ; serial
                               8H  ; refresh
                               4H  ; retry
                               5w6d16h  ; expiry
                               1D )  ; minimum
                86400 IN    SIG   SOA 3 86400 19990922195746 19990822195746
61875 lightside.com. (
                   AjrKm0SlCt5p/mhTx5RGRgonPfaRDpBwxIsAPZJmmxhmkacX
                   ciTSBpg= )
lightside.com.     3600 IN    KEY   0x4101 3 3 (
                   At9YZu89gbCReUbjqHx7EsCwtQRlw72ItNHfflIXryMyfvz9
                   ZZvdTArHzAEj6b3vQFpTswV4E+CABkr3kGY3d8w1jZLFzWRV
                   9Vq2SWG+3VtSvssU3SCAZx6MFzvo4QJFqGqul30bSU5RYly9
                   HVY8KieFHoG0wZ2T4wq+ZtpxmdYwh5yW3rf4hqnjenduG1Vy
                   WAW/V0TlxmM3jL1zF3i06ZGg+dp/GYfFBauhM2Wc+f46VEBd
                   yrcWvmOToLLcM7ot4B9jcUvLXkCGGtJcjzPWEsk+ZqW39LxI
                   bXudw61P8O+2B+EIdOk1jYR+JN+DVv9STgWweryTKrrobn6f
                   04rH1hAKeebZ )
                 3600 IN    SIG   KEY 3 3600 19990922142739 19990822142739
34758 com. (
                   AqpDFOt/FSenF8gjGhsav44ZeP80FmemCXd4ZWVLWoVwjAqe
                   P3e3I4E= )
lightside.com.    86400 IN    NS    ns.sith.com.
                86400 IN    SIG   NS 3 86400 19990922195746 19990822195746
61875 lightside.com. (
                   Ansfeofp6xj+GQUMVDKC4z/pUd3VleBNM44s6RQS+jfVpQiL
                   6isHdPA= )
lightside.com.    86400 IN    NXT   jarjar.lightside.com. NS SOA SIG KEY NXT
                86400 IN    SIG   NXT 3 86400 19990922195746 19990822195746
61875 lightside.com. (
                   ApMG4SYnxCNMBKaUx/wp7Y6AsImyffwvRYwWgiCbr/GXv7ix
                   V+LxqLE= )
jarjar          86400 IN    A     192.168.1.4
                86400 IN    SIG   A 3 86400 19990922195746 19990822195746
61875 lightside.com. (
                   AlV+8OyLhkQBY73KUuopgcdK9SJrALL260r+dzhUDmlMTAn5
                   bV5uJPY= )
jarjar          86400 IN    NXT   padme.lightside.com. A SIG NXT
                86400 IN    SIG   NXT 3 86400 19990922195746 19990822195746
61875 lightside.com. (
                   AojDbG4j31RhLApXXQ7nXgHqW5SBq6SU7nzfd7UdSUyDNMJ8
                   UuTC4rc= )
padme           86400 IN    A     192.168.1.3
                86400 IN    SIG   A 3 86400 19990922195746 19990822195746
61875 lightside.com. (
                   Arg+CbNv6S6NskkVkCDj/VlwCU4+JdMCmwi7M3fgR2eKSu7X
                   5JFdnzs= )
padme           86400 IN    NXT   lightside.com. A SIG NXT
                86400 IN    SIG   NXT 3 86400 19990922195746 19990822195746
61875 lightside.com. (
                   AiAu0HTDO3lrGqFimMXofSWk8gVdbGfajaKOoCOPDRS8WYuA
                   vhkzdMY= )

Sometimes the same thing just happens as I play around with nslookup for a
while (just query for different records). It almost seems like this has
something to do with caching. Sometimes I get the 'crypto-validated'
response, other times I just get an error message like the one above.

Any help is immensely appreciated at this point.

Thanks,

Marcel

--
                     "Better safe than assimilated"

                                                Chakotay