Skip to content

ldns-signzone wrongly signs non-authoritative records. #275

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ximon18 opened this issue May 7, 2025 · 1 comment
Open

ldns-signzone wrongly signs non-authoritative records. #275

ximon18 opened this issue May 7, 2025 · 1 comment
Labels
bug

Comments

@ximon18
Copy link
Member

ximon18 commented May 7, 2025
edited
Loading

LDNS version:

$ yum info ldns-utils
Updating and loading repositories:
Repositories loaded.
Installed packages
Name            : ldns-utils
Epoch           : 0
Version         : 1.8.4
Release         : 1.fc41
Architecture    : x86_64
Installed size  : 764.1 KiB
Source          : ldns-1.8.4-1.fc41.src.rpm
From repository : updates
Summary         : DNS(SEC) utilities for querying dns
URL             : https://www.nlnetlabs.nl/ldns/
License         : BSD-3-Clause
Description     : Collection of tools to get, check or alter DNS(SEC) data.
Vendor          : Fedora Project

Input zone:

$ cat /tmp/t
example.org.    240     IN      SOA     example.net. hostmaster.example.net. 1234567890 28800 7200 604800 240
example.org.    240     IN      A       2.2.2.2
some.example.org.       240     IN      A       1.1.1.1
not-in-zone.org.        240     IN      A       3.3.3.3

ldns-signzone command and output:

$ ldns-signzone -f - /tmp/t test-data/Kexample.org.+008+51331 test-data/Kexample.org.+008+28954
example.org.    240     IN      SOA     example.net. hostmaster.example.net. 1234567890 28800 7200 604800 240
example.org.    240     IN      RRSIG   SOA 8 2 240 20250604070004 20250507070004 28954 example.org. ANvYtJYfN1qJ/bDT3XmllTvqXQqWrVjRULmg04CIYgIoPOv6VI4g2G88IbCPSnuBcU/kDO25CP+xML4MQlh/I4x8Ckv2QvA5HFtPBfH7Kjiaup9Mm6DenOy8dCQSsMYUNv/8c6976d3eUhzG01LDXtirxxXC8NbbX9WcUFfVLuM=
example.org.    240     IN      A       2.2.2.2
example.org.    240     IN      RRSIG   A 8 2 240 20250604070004 20250507070004 28954 example.org. HnlovnRyQ/eyI1maTriqmlyFBfgmL0Vgc0NBElJx3Nl3XmFqxu7D1zcsCNLeVX5U89oQ9wVjk1nerPuLfsIosn2uKBVOWQwxQDGGUvICeS4DiBEwA+LIoU/QthBqaHvLfmUGSzzPyxYt761vEy0nVOKwmB6hC1BQ3vZFJUNnmKs=
example.org.    240     IN      DNSKEY  256 3 8 AwEAAcCIpalbX67WU8Z+gI/oaeD0EjOt41Py++X1HQauTfSB5gwivbGwIsqA+Qf5+/j3gcuSFRbFzyPfAb5x14jy/TU3MWXGfmJsJX/DeTqiMwfTQTTlWgMdqRi7JuQoDx3ueYOQOLTDPVqlyvF5/g7b9FUd4LO8G3aO2FfqRBjNG8px ;{id = 28954 (zsk), size = 1024b}
example.org.    240     IN      DNSKEY  257 3 8 AwEAAckp/oMmocs+pv4KsCkCciazIl2+SohAZ2/bH2viAMg3tHAPjw5YfPNErUBqMGvN4c23iBCnt9TktT5bVoQdpXyCJ+ZwmWrFxlXvXIqG8rpkwHi1xFoXWVZLrG9XYCqLVMq2cB+FgMIaX504XMGk7WQydtV1LAqLgP3B8JA2Fc1j ;{id = 51331 (ksk), size = 1024b}
example.org.    240     IN      RRSIG   DNSKEY 8 2 240 20250604070004 20250507070004 51331 example.org. s3p2rrYSjuuBTxgQiPfU4rx7l4V00OLQJfuSnt601wnPY+xfVR6B4Jcp9SAjISLLmP/ub9V2580k7g2aA55B34CtmUiKc/tOUwaQEzn994Q1f2EPNI1zhLvD3Qy+SZ1K1J8wgcxBAKwBgZb7qjQZZ6CFLWM2nkkKiS7YV+oOgkI=
example.org.    240     IN      NSEC    some.example.org. A SOA RRSIG NSEC DNSKEY 
example.org.    240     IN      RRSIG   NSEC 8 2 240 20250604070004 20250507070004 28954 example.org. G5uLrYiT+8OEfREQffzZbgiw0rgZudcOufZaxeqskinHw/IwGrrG39gIejOVLTII0Il9QfZx7DuVkQIq6ohYtD1+pTL9IkS0tW4zUPReSLaPLD7G2sySxzRObx9v5hSId5D3QSmfkPaSCMExj+r8b//8lqT0ldCq5jpn6vc8HRo=
some.example.org.       240     IN      A       1.1.1.1
some.example.org.       240     IN      RRSIG   A 8 3 240 20250604070004 20250507070004 28954 example.org. bSckjXldIlmihbYHDj/XG0DitABMHPOgQQELFtj3w07/MJ4WeolyTGsNYX7r4+3dDXpVZR5gUYA0sPa3ZWU9zbkQDV09f3JBUyZKYpH6wjU0KUxYDsLQ3RUsnEFs2VdhLMcnmQdJk72SmznIUsnoI4NtNx9qhjeKuOKd5ZCRZHI=
some.example.org.       240     IN      NSEC    not-in-zone.org. A RRSIG NSEC 
some.example.org.       240     IN      RRSIG   NSEC 8 3 240 20250604070004 20250507070004 28954 example.org. MziEC8qSSo2ph5Extf2MGPIUGny9xOcNISS6riAB4xyXWUjho6IYGbh+Tfpg4ElNQdGizthrpeteBdFl+xxg0eHEBBH7t4kXUl4RIAWfLIZNBU/1NZS/MXNVTUOoJj9Vj3AqhSaH5wq5br53Fmsn0iaXjebo1e0ojkMzM0tu49Y=
not-in-zone.org.        240     IN      A       3.3.3.3
not-in-zone.org.        240     IN      RRSIG   A 8 2 240 20250604070004 20250507070004 28954 example.org. Gzjxc6N30rAikoHc1RuKp0MuJUWUy6thSqHMp3wbzgFJaHyJaEF2CE27Ka57SQFWtcgDXDnv+jbzk3HsX22+fJonjkd9t5/iKIVzYFmGYZ91wXgVJl3Upi7KhX07yvW9kK4J+IxILz/mYA4RB/GJBTJ4RElqxDfHo1idkz9BH98=
not-in-zone.org.        240     IN      NSEC    example.org. A RRSIG NSEC 
not-in-zone.org.        240     IN      RRSIG   NSEC 8 2 240 20250604070004 20250507070004 28954 example.org. WNNXHlddFabr06xSU1Ej7W/CJHnVMht+DTXu2SzUlaUlmMI2JPrUs56hRj4mAtb5LIeyn3r9EGdyrwgCMDNPD+8Dt2i4p0ttKCTwfhr9ulB0o1hnjROWpy9tBbVULIHSWaqmT5orNK+VhRDR5yQPrG98nOhI3vjJ4DS9K/seb84=

Not that not-in-zone.org has both RRSIG and NSEC records and that the NSEC record chain for example.org includes not-in-zone.org. This would seem to violate RFC 4035.
@ximon18 ximon18 added the bug label May 7, 2025
@ximon18
Copy link
Member Author

ximon18 commented May 7, 2025
edited
Loading

Note: While1.8.5 appears to be the current release of ldns, not 1.8.4, the changelog for 1.8.5 doesn't appear to contain a fix for this issue, at least not that I can see. I also quickly looked at the open issues here but didn't find an existing issue for this problem. However at the time I searched for "glue" thinking that this only related to glue records.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ximon18