About use bind to do DNSSEC with no correct RSASHA256 signature

Mon, 18 Sep 2017 19:06:07 -0700 

Hi all,


    We used bind to do the DNSSEC , DYNAMIC ZONES , AND AUTOMATIC SIGNING. 
    But at last week we found that there is just one 'RRSIGNSEC3' record is 
illegality(No correct RSASHA256 signature) signed by bind.
        dnssec-verify -o XXX -E pkcs11 XXX.txt.signed
        Loading zone 'XXX' from file 'XXX.txt.signed'
        Verifying the zone using the following algorithms: RSASHA256.
        No correct RSASHA256 signature for 4AAPP98J0Q8VUG1BSQDH22IS8SURC8M6.XXX 
NSEC3
        The zone is not fully signed for the following algorithms: RSASHA256.
        dnssec-verify: fatal: DNSSEC completeness test failed.


    This error record as below:
4AAPP98J0Q8VUG1BSQDH22IS8SURC8M6.XXX.3600INRRSIGNSEC3 8 2 3600 20170925080748 
20170911074409 55399 XXX. 
AAAAAAAJ0lYBXu+DKpPARWqucXHr2hmUm5nGeKzcEg8L+n2Cb0APyG4UvNBYZ3lPzmSVRLw77NsGypPoMG23ovRMhhsmKg2uORh65ikucL072HksSbTNRn5/RPqw8sCD8RiCMrLj+wj5xFhqAa8Xk3UZMEMFK2jWROOT4LKDRhs=


    Our zone configure as below :
{       
        dnssec-enable yes;
        dnssec-validation yes;
        type master;
        update-check-ksk yes;
        dnssec-dnskey-kskonly yes;
        auto-dnssec maintain;
        sig-validity-interval 14 5;
        dnssec-update-mode maintain;
        serial-update-method increment;
}
    We used bind with below version :
        named -V
        BIND 9.10.5 <id:feb005b>
        running on Linux x86_64 2.6.32-696.3.2.el6.x86_64 #1 SMP Tue Jun 20 
01:26:55 UTC 2017
        built by make with 'CC=gcc -m64' '--enable-threads' 
'--with-openssl=/opt/pkcs11/usr' '--with-pkcs11=/usr/local/lib/pkcs11.so' 
'--prefix=/usr/local/bind-9.10.5'
        compiled by GCC 4.4.7 20120313 (Red Hat 4.4.7-18)
        compiled with OpenSSL version: OpenSSL 1.0.2h  3 May 2016
        linked to OpenSSL version: OpenSSL 1.0.2h  3 May 2016
        compiled with libxml2 version: 2.7.6
        linked to libxml2 version: 20706


    Is this a known issue?
    Did we have fixed this ? 
    We have tried to manual correct this record ,but didn't find the right way.
        We tried remove this RRSIG but get REFUSED log as below:
            updating zone 'XXX/IN': update failed: explicit RRSIG updates are 
currently not supported in secure zones except at the apex (REFUSED)
        We tried remove this NSEC3 but get REFUSED log as below:
            updating zone 'XXX/IN': update failed: explicit NSEC3 updates are 
not allowed in secure zones (REFUSED)


    How to correct this invalid record?
    Could anybody give us some help? We will be very appreciate.
    Thank you very much.


Best regards,
Dean




_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to