-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ondřej Surý wrote: > Hi, > > I got report from one of our registrars, that there is a problem > with validating mx.smtp.cz, which validates just fine on bind9. > > [1224510842] unbound[30691:0] info: super is <mx.smtp.cz. A IN> > [1224510842] unbound[30691:0] debug: attempt DS match algo 5 keytag 28371 > [1224510842] unbound[30691:0] debug: DS match digest ok, trying signature > [1224510842] unbound[30691:0] debug: verify: wrong key for rrsig > [1224510842] unbound[30691:0] debug: rrset failed to verify: all > signatures are bogus > [1224510842] unbound[30691:0] debug: Failed to match any usable DS to a DNSKEY. > [1224510842] unbound[30691:0] info: Did not match a DS to a DNSKEY, thus bogus. > [1224510842] unbound[30691:0] debug: validator[module 0] operate: > extstate:module_wait_subquery event:module_event_pass > [1224510842] unbound[30691:0] info: validator operate: query <mx.smtp.cz. A IN> > [1224510842] unbound[30691:0] debug: val handle processing q with > state VAL_VALIDATE_STATE > [1224510842] unbound[30691:0] info: Could not establish a chain of > trust to keys for <smtp.cz. DNSKEY IN> > [1224510842] unbound[30691:0] debug: val handle processing q with > state VAL_FINISHED_STATE > [1224510842] unbound[30691:0] debug: mesh_run: validator module exit > state is module_finished > > and > > [1224661793] unbound[11166:0] debug: attempt DS match algo 5 keytag 28371 > [1224661793] unbound[11166:0] debug: DS match digest ok, trying signature > [1224661793] unbound[11166:0] debug: verify: wrong key for rrsig > > They tried last SVN and still without success. Wouter, could you take > a look at this? I manually checked if everything is OK and it looks ok > for my plain sight. > > Ondrej Hi Ondrej, Took a look. And what turns out is that it complains that the RRSIG over the DNSKEY has a bad signer name. This turns out the be correct. The smtp.cz DNSKEY RRSIG has a signer name of ".". This should be "smtp.cz", since it is self-signed. - From below the line: smtp.cz. 300 IN RRSIG DNSKEY 5 2 300 20081121224842 20081022224842 28371 . Should have ended with smtp.cz. This is why the validation fails. I cannot say why BIND accept a bad signer name. Best regards, Wouter dig @81.31.37.213 smtp.cz. IN DNSKEY +dnssec ; <<>> DiG 9.5.0-P2 <<>> @81.31.37.213 smtp.cz. IN DNSKEY +dnssec ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61233 ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 3, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;smtp.cz. IN DNSKEY ;; ANSWER SECTION: smtp.cz. 300 IN DNSKEY 256 3 5 AwEAAdhkMxcEg/llTxFXfQy0GDnkZb5ZziYnAl9+aaYlMLK1XUk66zeo fy2eTWR+pAz6/elohBWSnxVPEPLBD0H5JhsviyNTxcZXFb+s08vBf4jT JNTHQQAdY70yAdOYGvTpKRNKn4p8gausx/57sZybyJPrMgKgAOwl59Ij y/YPRiJ9 smtp.cz. 300 IN DNSKEY 257 3 5 AQO1gtiQNJnn/9e5cR76I3Tn1ziRs/p4Ba3wq5jvY1ZOAEfulGBxZy59 qj3iLWVyWd5dzYF1KqBES6oToCGxMXmVAP+QIAUCjWR71kwlTyCpg7ZM d2PrcGjAzqPOoFlR7vdYGpIslzbwI71OOZQ7CVLDR8slR16qOMC8Yai8 IM9dtmptPRPCEdhM/3T576uPtZGVgGFdCixI9XeN3p8q38FsE7T0wbEU YZBwF1AUrlo2T2d9/6v8wdktxGemxPAX6mXWOYfE3xY0zkoAwcHt5HiB 1d/cOr6JB0gJto6gHkfBccIlU/2cJ/Bg3K6A3ER8uPFcCGCuMOA2Qb62 IDg0XCA76bJlh1BocPzAjlG8beI9dJz3CZTIW0apneNb4lGyGVmAc2Gx vrL/y7GHe9UfwqTnKzXDJcCzKahRNB9xD9TCuUIyChinnxys4BXcGRjM EwPttihgdWjFKDXEWgY7QAMAL1s+hQzWM5TZ2FhSw+tlH4GuH+saeVJ4 0bdppsqXLD8gwrG9bH6lX6Hu/SIG89WLTC08+mbhg1GDXvti9p/Y4u+E fV69eAG85y9F/tOYvR9Us0llWzg2gtnJr1y/qCgT9bVsyp6xGAd30H0Z 0pYr/xXzb4TnKVWZoZGEPdh47dAteFW0R+37Nl62l7dOuunQgzY/RQVl i3+fG1Gxizn0tQ== smtp.cz. 300 IN RRSIG DNSKEY 5 2 300 20081121224842 20081022224842 25812 smtp.cz. 2BV1HCxoDAdADeyPjQzqtSID2RNUb4MEOgdx5vPyDHo1et/Lxu+w3v/R UzJteuYva/e+9Tr6ixolMIpVfbzFTMdFWT8+gprbiihZ6lm91TFmAKMN Q3yTqxJZ769/J6hrwzMJ63f45YTnb1BJfjW/fI0clNPP3WZAoZ5rJvCI 9Ao= smtp.cz. 300 IN RRSIG DNSKEY 5 2 300 20081121224842 20081022224842 28371 . tQMSSQy4VQZqcbSEXcXvOwu9Z0kR4qwNo/U0d0fGuwyKQn23/9xzWlmX yVihHjvXP6RGxoit/sTIvFZI3498/pzCaDqLJsXjI6aU9k6ERwOtknt6 nAjkaS6oJkUODrIo0t3rxvVG/HCnLK7EM1BDFhs5fd+1EI0LR3ZgCpIg XjKiFe6+CoDTBAIdamnx9xR6N9SXyjdVsbKK3Tmzh+GsRf1du3rchmXc FIQc1ua1WK8heqYNV8qTNq1NIlx4oy+OoDZdaef6E0R61zSsvT4guXnC qBGgEUkpvBy8bEuo7YmmuEAmNDBYPsOBISUQxUMrMU1qLbIsfCjsturo 45UPg/GIVqPo4kthpLWHw0h+nz8cJLm6gGNUh2P/I3GYXngr9o4vyXns GH/DbHDb4Q1rXJ1kODFoWBbSjCJ1fChQ/+Rmbrq2/xqBv43I4sm9W6yX Qbp5Ydydyg+X0YBmrByBNmoq0cZZ0XUukU3MDs5TaAjV6P+qCqjr4u+Z XsIpcE+tmPm6tlK5fCK+GBDvX4caeSJQwtitGaNRNetvkyMeW8p+ErbK H5LA2q6bpS+PGkxcgYRG8bk5G+zQRdGhS9DJVGYDI8k4MrKRyAyxJgJ1 u/kxObkoWvvxFHiqzzUJMiRSeUT5gMT2EBGCXtFd9UmybM8X8Qt5jjvT G+wT1VmlUpw= ;; AUTHORITY SECTION: smtp.cz. 86400 IN NS ns.dns4.cz. smtp.cz. 86400 IN NS ns.dns4.net. smtp.cz. 86400 IN RRSIG NS 5 2 86400 20081121224842 20081022224842 25812 smtp.cz. VzO3E7jApr/Pg7JZWM/XNWMM8NwFV628RZdmVJe/7NQya5hUgxON+LF0 nNPs09mA/lTzR0NQayz1T2M4ZgnxZsR3ayITFjVvRv+9vW6uLnBZDoQj gMf1+4CGv/ZnXRrgNrg3Dz6qc3W/UHUTgbUCZHpdWCUO+6JQX/PW28pn RRk= ;; ADDITIONAL SECTION: ns.dns4.net. 86400 IN A 81.31.37.213 ns.dns4.cz. 86400 IN A 81.95.96.2 ;; Query time: 27 msec ;; SERVER: 81.31.37.213#53(81.31.37.213) ;; WHEN: Thu Oct 23 12:46:18 2008 ;; MSG SIZE rcvd: 1670 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkkAVpkACgkQkDLqNwOhpPiJfQCgsTkeAX/7qhH/BVCms1jfKWi6 UCAAoIhtz89rZRVfAZSx4EjIV2CNR7hL =P70U -----END PGP SIGNATURE-----