DANE record rejected by named-checkzone

Mark Andrews marka at isc.org
Tue Nov 4 22:54:22 UTC 2014 

In message <545954B0.8080400 at offerman.com>, "Adrian (Aad) Offerman" writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> named keeps refusing my zone file in which I included a DANE record:
> 
> [root]# named-checkzone offerman.com db.offerman.com
> db.offerman.com:59: _443._tcp.offerman.com: bad owner name (check-names)
> db.offerman.com:60: _443._tcp.offerman.com: bad owner name (check-names)
> zone offerman.com/IN: loaded serial 2014110103
> OK
> [root]#
> 
> This appears to be caused by the underscores used in the port/protocol
> combination.
> 
> Here's what the record looks like:
> 
> _443._tcp               IN      TLSA    3 0 1
>   a66939453856cd6b0f78427eb38d3a9921cfb8bab928d24017a172647e323ce

Well that isn't a valid TLSA record.  It has a bad hex encoding.
There are 63 hex digits.

TLSA records themselves are not subject to check-names processing
so I suggest that you look at the reported lines in the file to
find out what is actually there.

In the example below it is the A record which has inherited the
_443._tcp owner name.

Mark

[rock:~/git/bind9] marka% bin/check/named-checkzone ccccc.db ccccc.db
ccccc.db:1: no TTL specified; using SOA MINTTL instead
dns_rdata_fromtext: ccccc.db:3: near eol: bad hex encoding
ccccc.db:4: _443._tcp.ccccc.db: bad owner name (check-names)
zone ccccc.db/IN: loading from master file ccccc.db failed: bad hex encoding
zone ccccc.db/IN: not loaded due to errors.
[rock:~/git/bind9] marka% 

@	IN SOA . . 0 0 0 0 0
@	IN NS .
_443._tcp IN TLSA 3 0 1  a66939453856cd6b0f78427eb38d3a9921cfb8bab928d24017a172647e323ce
	IN A 1.2.3.4

 
> It was created first using this:
>   tlsa --create --output rfc offerman.com
> later using this:
>   ldns-dane create offerman.com 443
> both resulting in the same record, and both outputs resulting in the
> same error.
> 
> I've upgraded the named version (on CentOS 6.6) from 9.8.2 to 9.9.6,
> but all to no avail :-(
> 
> [root]# named-checkzone -v
> 9.9.6-RedHat-9.9.6-0.el6
> 
> Am I trying to do something here that is not yet supported or am I
> overlooking something?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iQEcBAEBAgAGBQJUWVSwAAoJECfzYtonqXzEdIsIAIiHdjp726NW57jF6lxF7cFc
> oFNFx8uClGHveq6nWjzG9DhplEkFjl8UYMJyfKx3MUlgnKGerREI13WyEwmOrIvk
> TigcjVEwb3AnbX7RGtzeyqsSAJesx8JdYgLxpSTltfeNpYwjJ4Irl1YQKw3e6hHY
> y8Lcd9gOYYj+weyZv8BoaEIugit/fuxiLOyJ7mqhyHmrDlny1FLbHMOAJzU8WBxx
> aa3IUT91RYP5037d4k3Klk+XbieFoiAGSnvHiaqfg8SuXiosiEKAZOfxymb04sqd
> a4rDiLv6RkLGR8UIWuNfiXNTyGvcZZeW9micMIHVXk/EeEJ1Y7W6vdbwBDJ8M2s=
> =CVi6
> -----END PGP SIGNATURE-----
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list