Fwd: SSHFP observation
Jim Popovitch
jimpop at domainmail.org
Thu Jan 31 15:56:55 UTC 2019
On Thu, 2019-01-31 at 21:12 +0530, Mukund Sivaraman wrote:
> On Thu, Jan 31, 2019 at 10:30:30AM -0500, Jim Popovitch via bind-
> users wrote:
> > On Thu, 2019-01-31 at 19:14 +0530, rams wrote:
> > > Hi,
> > > I have setup sshfp records as follows in bind zone file:
> > >
> > > test1.ramesh-sshfp.com. 86400 IN SSHFP 1 1 aa
> > > test2.ramesh-sshfp.com. 86400 IN SSHFP 1 1 00
> > >
> > > Successfully started bind but when queried for domain test1 and
> > > test2
> > > , returning malformed error and no answer. If fingerprint value
> > > wrong
> > > then bind should validate and should not start. Is it expected
> > > behavior? Kindly confirm.
> >
> > Bind will restart cleanly unless you muck up something in the
> > config file(s). In this case you have something wrong in a zone
> > file, and we can't see what it is because the domain you specified
> > is invalid. So, until you show us some data my best guess is that
> > you have a formatting error in a zone file(s).
> >
> > Help us help you by specifying the actual domain.
>
> The original poster is right. Something is broken in SSHFP
> processing. He's configured a zone with the above records, and
> querying against that zone is causing dig to print that the reply is
> malformed.
> BIND should never return a malformed message, so there is a bug
> somewhere.
The malformed messages are from dig (v9.8.2rc1-RedHat-9.8.2-
0.30.rc1.el6_6.3)
Warning: Message parser reports malformed message packet.
WARNING: Messages has 55 extra bytes at end
We know nothing yet about the BIND setup/version/zone/etc/ For all we
know the zone is fat fingered.
-Jim P.
More information about the bind-users
mailing list