Ticket #373 (closed defect: invalid)

Opened 2 years ago

Last modified 10 months ago

Wrong DNSSEC Key type when going to NSEC3

Reported by: anon Owned by: ahu
Priority: normal Milestone:
Component: auth Version: 3.0
Severity: normal Keywords:
Cc:

Description

When you secure a zone it adds a

RSA/SHA-256 key

Then when you do set-nsec3 the keys are still RSA/SHA-256 keys but they should be RSASHA1-NSEC3-SHA1 keys

You have to delete all the keys and then add them in again after your set-nsec3

any new keys are with the right type.

if you set-nsec3 before the secure-zone the key type is still RSA/SHA-256 instead of RSASHA1-NSEC3-SHA1

Change History

Changed 2 years ago by anon

pdnssec.cc (secureZone) has hardcoded key type

ie if(!dk.secureZone(zone,8)) + 2 other places

change to secureZone(zone,5) + 2 other places below it will add

RSASHA1 by default and NSEC3RSASHA1 if you enable NSEC3 on a zone before you secure it.

This seems the default with other implementations rather than using SHA-256 which is not compatible with NSEC3 (RFC 5155)

Also we have to add to pdnssec the ability to choose the key type and also if its compatible with NSEC3 when the zone is secure initially..

Changed 2 years ago by ahu

  • owner changed from somebody to ahu
  • status changed from new to assigned

I can't reproduce this, sorry. The database still says 5, but the outside sees 7. Can you confirm? pdnssec show-zone also shows things correctly.

Changed 14 months ago by peter

  • version set to 3.0
  • component changed from component1 to auth

Changed 10 months ago by peter

  • status changed from assigned to closed
  • resolution set to invalid

RSASHA256 supports NSEC3, actually. Closing ticket as invalid.

(While investigating this I did find that while secure-zone defaults to RSASHA256, add-zone-key did not. This is fixed in r2692).

Note: See TracTickets for help on using tickets.