DANE record rejected by named-checkzone

Adrian (Aad) Offerman adrian at offerman.com
Sun Nov 30 16:55:17 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 11/04/2014 11:54 PM, Mark Andrews wrote:
> In message <545954B0.8080400 at offerman.com>, "Adrian (Aad) Offerman"
> writes:
> 
> named keeps refusing my zone file in which I included a DANE
> record:
> 
> [root]# named-checkzone offerman.com db.offerman.com 
> db.offerman.com:59: _443._tcp.offerman.com: bad owner name
> (check-names) db.offerman.com:60: _443._tcp.offerman.com: bad owner
> name (check-names) zone offerman.com/IN: loaded serial 2014110103 
> OK [root]#
> 
> This appears to be caused by the underscores used in the
> port/protocol combination.
> 
> Here's what the record looks like:
> 
> _443._tcp               IN      TLSA    3 0 1 
> a66939453856cd6b0f78427eb38d3a9921cfb8bab928d24017a172647e323ce
> 
>> Well that isn't a valid TLSA record.  It has a bad hex encoding. 
>> There are 63 hex digits.

Just an error in the cutting/pasting, in the mail message that is.


>> TLSA records themselves are not subject to check-names
>> processing so I suggest that you look at the reported lines in
>> the file to find out what is actually there.
> 
>> In the example below it is the A record which has inherited the 
>> _443._tcp owner name.

Ah, that did the job! :-) Inserting a block of TLSA records at the
wrong place screwed up the inheritance for the next record.

Thanks! Adrian


>> Mark
> 
>> [rock:~/git/bind9] marka% bin/check/named-checkzone ccccc.db
>> ccccc.db ccccc.db:1: no TTL specified; using SOA MINTTL instead 
>> dns_rdata_fromtext: ccccc.db:3: near eol: bad hex encoding 
>> ccccc.db:4: _443._tcp.ccccc.db: bad owner name (check-names) zone
>> ccccc.db/IN: loading from master file ccccc.db failed: bad hex
>> encoding zone ccccc.db/IN: not loaded due to errors. 
>> [rock:~/git/bind9] marka%
> 
>> @	IN SOA . . 0 0 0 0 0 @	IN NS . _443._tcp IN TLSA 3 0 1
>> a66939453856cd6b0f78427eb38d3a9921cfb8bab928d24017a172647e323ce 
>> IN A 1.2.3.4
> 
> 
> It was created first using this: tlsa --create --output rfc
> offerman.com later using this: ldns-dane create offerman.com 443 
> both resulting in the same record, and both outputs resulting in
> the same error.
> 
> I've upgraded the named version (on CentOS 6.6) from 9.8.2 to
> 9.9.6, but all to no avail :-(
> 
> [root]# named-checkzone -v 9.9.6-RedHat-9.9.6-0.el6
> 
> Am I trying to do something here that is not yet supported or am I 
> overlooking something?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUe0v1AAoJECfzYtonqXzEKHgIAJyjwFIgXbZ1eO01eR8JO4Au
s51DVqywT7/0nVfF55Zi6N8mOi9GygYJjSEFJ4lL6g2BI2TaNVzeAQqGp9oJ8UUf
GzJOjLkb7UyPy5OXYjkIj4a2f7t8Eyk7kRXYhfDaPccox87R8NkIWkCftSrfgBEq
LwwTlHrtf2QUi5QxzhsNP/ljuC5mF0EW2ipa3kEggTgHwQ3Sg9pSvxWwP8LVFRn4
RW1ng/9iALxrgQLS7qjEc29vTfj0emRskQEXOgS/Ipt0U9b2Ep5l8uHsULH0jNwP
BJ5+QPJFETlHd6hqKNjpAsVBrZJ+fY4QgIC8Ig8nkWY4gBLtZ55qkb6zIbOFL4Y=
=YVKh
-----END PGP SIGNATURE-----

More information about the bind-users mailing list