Hi,
We are getting the error while verify the opendnssec signed zone file - " A has
signature(s), but is occluded (or glue)"
Following is the test cases done on the opendnssec server. I am not sure, it
is a bug or do we need to follow some procedure to avoid this issue. Please
suggest.
opendnssec version: opendnssec-2.1.14 , softHSM version: softhsm-2.6.1
example.com zone file:-
------
$ORIGIN example.com.
$TTL 86400
@ IN SOA ns1.example.com. hostmaster.example.com. (
2025062628 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
example.com. 3600 IN NS ns1.dnsp.com.
example.com. 3600 IN NS ns2.dnsp.com.
ns1.dnsp.com. 3600 IN A 192.0.2.1
ns2.dnsp.com. 3600 IN A 192.0.2.2
;child zones
site1.example.com. IN NS ns1.site1.example.com.
site1.example.com. IN NS ns2.site1.example.com.
site2.example.com. IN NS ns1.site1.example.com.
site2.example.com. IN NS ns2.site1.example.com.
ns1.site1.example.com. IN A 192.168.0.1
ns2.site1.example.com. IN A 192.168.0.2
Test case 1: Signing by opendssec working fine with the above example.com zone
file. ldns-verify-zone succeeded for the signed zone file without any issue.
Test case 2. From the above zone file if we remove the child zone
"site1.example.com. IN NS ns1.site1.example.com." AND
"site1.example.com. IN NS ns2.site1.example.com. " then, the
Signer considering " ns1.site1.example.com. 86400 IN A
192.168.0.1 And ns2.site1.example.com. IN A 192.168.0.2" as "A"
record and singed file is with NSEC3 records. Here, ldns-verify-zone is
succeeded for the signed zone file and complete.
Test case 3. Now if we add back the (removed child zone) entry
"site1.example.com. IN NS ns1.site1.example.com." AND
"site1.example.com. IN NS ns2.site1.example.com. " then, the
Signer again considering ns1.site1.example.com And ns2.site1.example.com. as
"A" record and sign the same (without NSEC3 records). Here ldns-verify-zone
failing with following error for the signed zone.
r0ts-dns-ids01:/var/opendnssec/signed# ldns-verify-zone
/var/opendnssec/signed/example.com
Error: ns1.site1.example.com. A has signature(s), but is occluded (or glue)
Error: ns2.site1.example.com. A has signature(s), but is occluded (or glue)
There were errors in the zone
Details:-
Test case 2:
Unsigned Zone file: example.com
$ORIGIN example.com.
$TTL 86400
@ IN SOA ns1.example.com. hostmaster.example.com. (
2025062901 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
example.com. 3600 IN NS ns1.dnsp.com.
example.com. 3600 IN NS ns2.dnsp.com.
ns1.dnsp.com. 3600 IN A 192.0.2.1
ns2.dnsp.com. 3600 IN A 192.0.2.2
;child zones
site2.example.com. IN NS ns1.site1.example.com.
site2.example.com. IN NS ns2.site1.example.com.
ns1.site1.example.com. IN A 192.168.0.1
ns2.site1.example.com. IN A 192.168.0.2
Signed Zone File:example.com
example.com. 3600 IN SOA ns1.example.com.
hostmaster.example.com. 2025062903 7200 3600 1209600 3600
example.com. 3600 IN RRSIG SOA 13 2 3600 20250713103826
20250629093857 50857 example.com.
X/yOKaNg2nSnRKruh6iw/9+v11AiGIGnfMBmM+/hZ51lu2F/yl3MipaRrVY0XzQRmAUvDWhGY0rLYAlEEaNCMw==
example.com. 3600 IN DNSKEY 257 3 13
95MijHgdYxr1CzIuPE+vdPaWxqKPoAaCGod0hzEa0WugTXSgNgk3XUXklMxbRnWOYBUHbWyw5OmVbuufKDsfeg==
;{id = 41231 (ksk), size = 256b}
example.com. 3600 IN DNSKEY 256 3 13
WEFhn+zqcTg9bTIiUWQfFcZ2+1epiGlZopAlQ6U8lvabGV2+TH0QHY113wbE/YrcNIqYqOEp76uxZpAqWzSlQA==
;{id = 50857 (zsk), size = 256b}
example.com. 3600 IN RRSIG DNSKEY 13 2 3600 20250713102836
20250629092913 41231 example.com.
DYAMbh+yhjEKwqIWzCJWGuj6zxEzZ0eDjceBZ8owP3sposej0ey78xFIrICUNmBW82xyiDbmH9ho2rCSF9ik3g==
example.com. 0 IN NSEC3PARAM 1 0 5 4d91322a387fea14
example.com. 0 IN RRSIG NSEC3PARAM 13 2 0 20250713102908
20250629092913 50857 example.com.
zxNW+KlSKJ5kxdob/krPTB2F0eFX8mJZZUtRU10Oo6U2T9qnLGqnNd3kwJ5iHuQu4PVsQnHTk06rcuUDQ/KLTQ==
example.com. 3600 IN NS ns1.dnsp.com.
example.com. 3600 IN NS ns2.dnsp.com.
example.com. 3600 IN RRSIG NS 13 2 3600 20250713102907
20250629092913 50857 example.com.
tcVd5ekK65yOEKjJFJ5o5/EMOXfCB+5Qk04Wp5nIuwdnsMFPrhCLsps0Tr0vK7sUbjIITnukF+6ldYW3JKRPQg==
1ale25q63qf27j2lrhoqm9um0a3u3e6r.example.com. 3600 IN NSEC3 1 1 5
4d91322a387fea14 6khjs8s1km7q7o0kiuo75681umgi1vne NS SOA RRSIG DNSKEY
NSEC3PARAM
1ale25q63qf27j2lrhoqm9um0a3u3e6r.example.com. 3600 IN RRSIG NSEC3
13 3 3600 20250713103836 20250629093857 50857 example.com.
kQIXRVlVYtnvevX+FXgOB/dSs28sxyxpt3yClLF6ddJX7zcHL71PwECAlQtVciZ84+TeBB0G1ml0DsO3UHbAHQ==
;;Empty non-terminal site1.example.com.
re7jfp9oitl3mdnjo2icnigv84kp0o2k.example.com. 3600 IN NSEC3 1 1 5
4d91322a387fea14 1ale25q63qf27j2lrhoqm9um0a3u3e6r
re7jfp9oitl3mdnjo2icnigv84kp0o2k.example.com. 3600 IN RRSIG NSEC3
13 3 3600 20250713103937 20250629093857 50857 example.com.
KwpkOK2LdtB+k1MkVTXT2tpwQHHE8FGamLzHtsU7ySCWZyMGl9xpkOH/Lag2fQq7ccd3E7/bKP2Uwj+jB5Chsw==
ns1.site1.example.com. 86400 IN A 192.168.0.1
ns1.site1.example.com. 86400 IN RRSIG A 13 4 86400 20250713103810
20250629093857 50857 example.com.
ifDngOBydUkZo9JdAlL8MhqxyYsrXIo5iRXN5bsPSWrFfo0fMNAC3MdluIRoJad5/WpEB5eVwIq7g20fLd1GVQ==
6khjs8s1km7q7o0kiuo75681umgi1vne.example.com. 3600 IN NSEC3 1 1 5
4d91322a387fea14 9mf6b0gr55bvjvt1r7mjhk74oal4o0gf A RRSIG
6khjs8s1km7q7o0kiuo75681umgi1vne.example.com. 3600 IN RRSIG NSEC3
13 3 3600 20250713103903 20250629093857 50857 example.com.
gIAkLHKiIGqPyRZImhY7Eq0oOiyXZQvYHYAEceuBTaSN7WxYtZcdt+JpztJ35tc6dX4eY+rK5CffpGY8hI7y7A==
ns2.site1.example.com. 86400 IN A 192.168.0.2
ns2.site1.example.com. 86400 IN RRSIG A 13 4 86400 20250713103953
20250629093857 50857 example.com.
pKiTdWEWLxWi2BlptnVecYhXde+65JzTmtvBbsWx3KFYxLjDKkEEtOejpujDL8mCW5ssEXjnjiqqnZgj7/TGww==
9mf6b0gr55bvjvt1r7mjhk74oal4o0gf.example.com. 3600 IN NSEC3 1 1 5
4d91322a387fea14 re7jfp9oitl3mdnjo2icnigv84kp0o2k A RRSIG
9mf6b0gr55bvjvt1r7mjhk74oal4o0gf.example.com. 3600 IN RRSIG NSEC3
13 3 3600 20250713103915 20250629093857 50857 example.com.
BNIl/sn22QWiF4KIsS4+jXLPheV/pVDxAT14Lt29kvnyCkv6DFYJAYLbXZT9RmVHLN4q14CABKu4zCuQ7WUyDg==
site2.example.com. 86400 IN NS ns1.site1.example.com.
site2.example.com. 86400 IN NS ns2.site1.example.com.
Test case 3:
Unsigned zone file: example.com
$ORIGIN example.com.
$TTL 86400
@ IN SOA ns1.example.com. hostmaster.example.com. (
2025062901 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
example.com. 3600 IN NS ns1.dnsp.com.
example.com. 3600 IN NS ns2.dnsp.com.
ns1.dnsp.com. 3600 IN A 192.0.2.1
ns2.dnsp.com. 3600 IN A 192.0.2.2
;child zones
site1.example.com. IN NS ns1.site1.example.com.
site1.example.com. IN NS ns2.site1.example.com.
site2.example.com. IN NS ns1.site1.example.com.
site2.example.com. IN NS ns2.site1.example.com.
ns1.site1.example.com. IN A 192.168.0.1
ns2.site1.example.com. IN A 192.168.0.2
Signed Zone file: example.com
example.com. 3600 IN SOA ns1.example.com.
hostmaster.example.com. 2025062904 7200 3600 1209600 3600
example.com. 3600 IN RRSIG SOA 13 2 3600 20250713105836
20250629095744 50857 example.com.
TIDrmS7eA9Et/VdX0sCWRN3LO4aT8PymaE4Le4BV8lrBDNc8TaWZEkMAO4ygkpliMNDS/6xlMeDXSYzjHuloVA==
example.com. 3600 IN DNSKEY 257 3 13
95MijHgdYxr1CzIuPE+vdPaWxqKPoAaCGod0hzEa0WugTXSgNgk3XUXklMxbRnWOYBUHbWyw5OmVbuufKDsfeg==
;{id = 41231 (ksk), size = 256b}
example.com. 3600 IN DNSKEY 256 3 13
WEFhn+zqcTg9bTIiUWQfFcZ2+1epiGlZopAlQ6U8lvabGV2+TH0QHY113wbE/YrcNIqYqOEp76uxZpAqWzSlQA==
;{id = 50857 (zsk), size = 256b}
example.com. 3600 IN RRSIG DNSKEY 13 2 3600 20250713102836
20250629092913 41231 example.com.
DYAMbh+yhjEKwqIWzCJWGuj6zxEzZ0eDjceBZ8owP3sposej0ey78xFIrICUNmBW82xyiDbmH9ho2rCSF9ik3g==
example.com. 0 IN NSEC3PARAM 1 0 5 4d91322a387fea14
example.com. 0 IN RRSIG NSEC3PARAM 13 2 0 20250713102908
20250629092913 50857 example.com.
zxNW+KlSKJ5kxdob/krPTB2F0eFX8mJZZUtRU10Oo6U2T9qnLGqnNd3kwJ5iHuQu4PVsQnHTk06rcuUDQ/KLTQ==
example.com. 3600 IN NS ns1.dnsp.com.
example.com. 3600 IN NS ns2.dnsp.com.
example.com. 3600 IN RRSIG NS 13 2 3600 20250713102907
20250629092913 50857 example.com.
tcVd5ekK65yOEKjJFJ5o5/EMOXfCB+5Qk04Wp5nIuwdnsMFPrhCLsps0Tr0vK7sUbjIITnukF+6ldYW3JKRPQg==
1ale25q63qf27j2lrhoqm9um0a3u3e6r.example.com. 3600 IN NSEC3 1 1 5
4d91322a387fea14 1ale25q63qf27j2lrhoqm9um0a3u3e6r NS SOA RRSIG DNSKEY
NSEC3PARAM
1ale25q63qf27j2lrhoqm9um0a3u3e6r.example.com. 3600 IN RRSIG NSEC3
13 3 3600 20250713105659 20250629095744 50857 example.com.
EeyBPLB1tAvIo0DLt3N+QAQDPMu3T54r0eWfR9DyrwsdTv8TRtAOrcf/JdOlDa85fzBdInZCmJf1UXi/ebXXIw==
site1.example.com. 86400 IN NS ns1.site1.example.com.
site1.example.com. 86400 IN NS ns2.site1.example.com.
ns1.site1.example.com. 86400 IN A 192.168.0.1
ns1.site1.example.com. 86400 IN RRSIG A 13 4 86400 20250713103810
20250629093857 50857 example.com.
ifDngOBydUkZo9JdAlL8MhqxyYsrXIo5iRXN5bsPSWrFfo0fMNAC3MdluIRoJad5/WpEB5eVwIq7g20fLd1GVQ==
ns2.site1.example.com. 86400 IN A 192.168.0.2
ns2.site1.example.com. 86400 IN RRSIG A 13 4 86400 20250713103953
20250629093857 50857 example.com.
pKiTdWEWLxWi2BlptnVecYhXde+65JzTmtvBbsWx3KFYxLjDKkEEtOejpujDL8mCW5ssEXjnjiqqnZgj7/TGww==
site2.example.com. 86400 IN NS ns1.site1.example.com.
site2.example.com. 86400 IN NS ns2.site1.example.com.
r0ts-dns-ids01:/var/opendnssec/signed# ldns-verify-zone
/var/opendnssec/signed/example.com
Error: ns1.site1.example.com. A has signature(s), but is occluded (or glue)
Error: ns2.site1.example.com. A has signature(s), but is occluded (or glue)
There were errors in the zone
Thanks
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
