Package: pdns-server
Version: 3.1-1
Severity: important
Hi,
I first noticed this problem when I upgraded a 3.0 pdns-static deb
downloaded from powerdns.com to 3.1 by backporting/compiling the 3.1
sid source package to squeeze. The DNSKEYs were generated with the 3.0
pdns-static version. http://dnsviz.net/,
http://dnssec-debugger.verisignlabs.com/ and my local validating
unbound resolver were reporting bogus rrsigs after the upgrade.
To make sure this is not some upstream problem I removed my own
packages and installed pdns-static_3.1.20120511.2617-1_amd64.deb from
upstream. The RRSIGs are ok with that version.
Making sure this is not a problem with my own build I setup a wheezy
testsystem and imported a database dump from the production machine.
The RRSIGs are bogus again.
Testing with this script:
---------------------------------------------------------------------
#! /usr/bin/perl
use strict;
use warnings;
use 5.010;
use Net::DNS;
my $res = Net::DNS::Resolver->new(
# nameservers => [qw(217.31.82.6)], # OK
nameservers => [qw(217.31.84.16)], # BROKEN
recurse => 0,
debug => 0,
dnssec => 1
);
my $answer = $res->query('adns1.de', 'DNSKEY');
my @rrset = grep { ref($_) eq 'Net::DNS::RR::DNSKEY'} $answer->answer;
my @rrsig = grep { ref($_) eq 'Net::DNS::RR::RRSIG'} $answer->answer;
foreach my $rr (@rrset) {
say $rr->string;
}
say '-' x 80;
foreach my $rr (@rrsig) {
say $rr->string;
}
my $rrsig = $rrsig[0];
say '-' x 80;
say 'verify: ', $rrsig->verify(\@rrset, \@rrset);
say $rrsig->vrfyerrstr;
---------------------------------------------------------------------
I get this output for the wheezy pdns:
$ perl pdns_debug.pl
adns1.de. 86400 IN DNSKEY 257 3 7 (
AwEAAcGf3iRl4grAc6JH2uu2FZ85IR34OBZL
wUK3pTLPsGRtrYflNJSTE3Zz/G+8qQsygmLK
xs9IB+MPEOtsWtvCcthF5XPAs18imq6Os9zm
ocYsGMqZCIDVk91L+q0cF61xvt0pLodE1Lhk
PVw4trSlG/UrVttu21EDcCw6j+HgY16QhD0Z
f4TAiKolRcVb05WpVn7PAEyejMbqqAZJlthl
ylxqtAhP0OaTIK80HWKp/Tm13sMR9FqDG9Us
Yf9jyTeUoZ+9VEyY4xQOgj/p1kJu6tmCg0cy
azE72GnWaJmtcEgPvswARj+dud6ncYfcQhSy
gvut/9ELC6NSCPwdMgMCnKc=
) ; Key ID = 49353
adns1.de. 86400 IN DNSKEY 256 3 7 (
AwEAAc2DV53dOIqxlq+YijjMPoRHoPZzzYKn
JXcy491RJnTzaPiEGOLTvhpBMt7c+IOn9mRd
Ev3PU3m0WFbeb6Uv8VNf+dc2CTFPGBz8DUIS
3DEbcUJdoG/5U000f/Kqyjgahr5LQHHJGXU4
UAK3Jd1YeBKiCgx9mpE7xwCewspMhutB
) ; Key ID = 41009
adns1.de. 86400 IN DNSKEY 256 3 7 (
AwEAAcbLMvWxXjVvtEoIRg2IT7lzZUCDz9tC
2cI2oymrUUawiO0y5aFLQCHeWlr+5HwWjclX
O8WSavC+rCTV/QXA60OgGMupXVfO9eZgiaUg
nYcX7xTSdQxK4KKRJ3RHPXjWPvRWDpeIwOob
gPEB0DvuLBz8onmoEq+kVbpiwq5Hd2jr
) ; Key ID = 7997
--------------------------------------------------------------------------------
adns1.de. 86400 IN RRSIG DNSKEY 7 2 86400 20120614000000 (
20120531000000 49353 adns1.de.
Eg1h4ZqRBOkrS3mcWD6qOJo+ARYO+RIscR40oscqrdyMq
ujrXLPHMiWuBCBitT0RvNS/FGKq6/pWhaNI/fkjjJmzhs
fsNSuUZpn6nDCzbCm+gJ4rRYlOacIu4pdS9qZdFnpI1XK
R+BoYN31Ih6i8AyEQq7Lwonf/kK9WfsNMGKJyXrOh1ooH
sC0L7TeHqrR7yHdYcUtvA8lFSPFBXYh8jZk9L9hu/XHTP
PaI2v0YBPNJUC7/2K1aOK8n10SzHRPSshlahoyFw8bHHB
K2GbYo2Jjhu6k2RhEj3VBSZ7jfKlvMoaocnqAG9+N5jAo
TAuD7xdefySCbb+IpkjI53Lvfig== )
--------------------------------------------------------------------------------
verify: 0
key 1:RSA Verification failed key 2: keytag does not match key 3: keytag does
not match
And this output for the production system:
$ perl pdns_debug.pl
adns1.de. 86400 IN DNSKEY 257 3 7 (
AwEAAcGf3iRl4grAc6JH2uu2FZ85IR34OBZL
wUK3pTLPsGRtrYflNJSTE3Zz/G+8qQsygmLK
xs9IB+MPEOtsWtvCcthF5XPAs18imq6Os9zm
ocYsGMqZCIDVk91L+q0cF61xvt0pLodE1Lhk
PVw4trSlG/UrVttu21EDcCw6j+HgY16QhD0Z
f4TAiKolRcVb05WpVn7PAEyejMbqqAZJlthl
ylxqtAhP0OaTIK80HWKp/Tm13sMR9FqDG9Us
Yf9jyTeUoZ+9VEyY4xQOgj/p1kJu6tmCg0cy
azE72GnWaJmtcEgPvswARj+dud6ncYfcQhSy
gvut/9ELC6NSCPwdMgMCnKc=
) ; Key ID = 49353
adns1.de. 86400 IN DNSKEY 256 3 7 (
AwEAAc2DV53dOIqxlq+YijjMPoRHoPZzzYKn
JXcy491RJnTzaPiEGOLTvhpBMt7c+IOn9mRd
Ev3PU3m0WFbeb6Uv8VNf+dc2CTFPGBz8DUIS
3DEbcUJdoG/5U000f/Kqyjgahr5LQHHJGXU4
UAK3Jd1YeBKiCgx9mpE7xwCewspMhutB
) ; Key ID = 41009
adns1.de. 86400 IN DNSKEY 256 3 7 (
AwEAAcbLMvWxXjVvtEoIRg2IT7lzZUCDz9tC
2cI2oymrUUawiO0y5aFLQCHeWlr+5HwWjclX
O8WSavC+rCTV/QXA60OgGMupXVfO9eZgiaUg
nYcX7xTSdQxK4KKRJ3RHPXjWPvRWDpeIwOob
gPEB0DvuLBz8onmoEq+kVbpiwq5Hd2jr
) ; Key ID = 7997
--------------------------------------------------------------------------------
adns1.de. 86400 IN RRSIG DNSKEY 7 2 86400 20120614000000 (
20120531000000 49353 adns1.de.
AgJxEd8XbutXWRJj3oNbqvPjtl8IIdO+HmXqHTjad1m07
ZFWkowVAcPYlUuu7hV5lJ6sV0ExojeYp+BxCfYDJzUevw
UYplsudwHY6KAZGZzVzYHjXIWH0WLqdJYox9JKnOZ8JJb
dzumQiSm7treIMr2mAoSyxFo29nX1Fl5w9jeGpxAQA9v/
hSt+IbHjH1vyN1G2vgyj7CQdevbAAhKq4Qli0tyPh51H+
d5aw4WztYBkptJ6d5s+1chxtM3x/LPrIxrhhGXJLpjQqr
Sd1vtci7YtxI+e2tynVeNKwETKj+ncnXQKgpfLFzppe8S
pu+LqJ35QqJ6y/rytKySnsuBW/Q== )
--------------------------------------------------------------------------------
verify: 1
No Error
(Please note that the externally visible production IP is not actually
running powerdns but nsd which gets it's data via AXFR)
Btw. I don't understand why pdns-backend-mysql is listed as pn, it is
in fact installed:
# dpkg -l pdns-backend-mysql
ii pdns-backend-m 3.1-1 generic MySQL backend for PowerDNS
Thanks,
Florian
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages pdns-server depends on:
ii adduser 3.113+nmu2
ii debconf [debconf-2.0] 1.5.43
ii libboost-program-options1.49.0 1.49.0-3
ii libboost-serialization1.49.0 1.49.0-3
ii libc6 2.13-32
ii libcrypto++9 5.6.1-6
ii libgcc1 1:4.7.0-8
ii liblua5.1-0 5.1.5-2
ii libpolarssl0 1.1.3-1
ii libsqlite3-0 3.7.11-3
ii libstdc++6 4.7.0-8
ii ucf 3.0025+nmu3
ii zlib1g 1:1.2.7.dfsg-1
pdns-server recommends no packages.
Versions of packages pdns-server suggests:
pn pdns-backend-mysql [pdns-backend] 3.1-1
pn pdns-recursor <none>
-- debconf information excluded
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
