Re: SIG(0) "request has invalid signature: not verified yet (NOERROR)"

Tue, 05 Nov 2024 09:56:04 -0800 

Hi Malcolm,

have you tried tweaking following configuration?

.. namedconf:statement:: sig0checks-quota
   :tags: server
   :short: Specifies the maximum number of concurrent SIG(0) signature checks 
that can be processed by the server.

   This is the maximum number of simultaneous SIG(0)-signed messages that
   the server accepts. If the quota is reached, then :iscman:`named` answers
   with a status code of REFUSED. The value of ``0`` disables the quota. The
   default is ``1``.

.. namedconf:statement:: sig0checks-quota-exempt
   :tags: server
   :short: Exempts specific clients or client groups from SIG(0) signature 
checking quota.

   DNS clients can be exempted from the SIG(0) signature checking quota with the
   :any:`sig0checks-quota-exempt` clause, using their IP and/or network
   addresses. The default value is an empty list.

   Example:

   ::

       sig0checks-quota-exempt {
           10.0.0.0/8;
           2001:db8::100;
       };

If that doesn't help, I would suggest to fill an issue in our GitLab, it seems 
like a genuine bug.

Ondřej
--
Ondřej Surý (He/Him)
[email protected]

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 5. 11. 2024, at 17:53, Malcolm Scott <[email protected]> wrote:
> 
> On Tue, 5 Nov 2024, Malcolm Scott wrote:
> 
>> Regardless I'll try adjusting the algorithm choice in case it does make a 
>> difference.
> 
> So far I can report that using a ECDSAP384SHA384 key for the SIG(0) still 
> encounters the same failure mode.  (For tedious reasons the client I chose to 
> test can't do ED25519.  More experimentation ongoing.  But the problem is not 
> specific to RSASHA512.)
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> [email protected]
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to