Maintained by: NLnet Labs

[Unbound-users] Error validating mx.smtp.cz

Wouter Wijngaards
Thu Oct 23 12:48:57 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ondřej Surý wrote:
> Hi,
> 
> I got report from one of our registrars, that there is a problem
> with validating mx.smtp.cz, which validates just fine on bind9.
> 
> [1224510842] unbound[30691:0] info: super is <mx.smtp.cz. A IN>
> [1224510842] unbound[30691:0] debug: attempt DS match algo 5 keytag 28371
> [1224510842] unbound[30691:0] debug: DS match digest ok, trying signature
> [1224510842] unbound[30691:0] debug: verify: wrong key for rrsig
> [1224510842] unbound[30691:0] debug: rrset failed to verify: all
> signatures are bogus
> [1224510842] unbound[30691:0] debug: Failed to match any usable DS to a DNSKEY.
> [1224510842] unbound[30691:0] info: Did not match a DS to a DNSKEY, thus bogus.
> [1224510842] unbound[30691:0] debug: validator[module 0] operate:
> extstate:module_wait_subquery event:module_event_pass
> [1224510842] unbound[30691:0] info: validator operate: query <mx.smtp.cz. A IN>
> [1224510842] unbound[30691:0] debug: val handle processing q with
> state VAL_VALIDATE_STATE
> [1224510842] unbound[30691:0] info: Could not establish a chain of
> trust to keys for <smtp.cz. DNSKEY IN>
> [1224510842] unbound[30691:0] debug: val handle processing q with
> state VAL_FINISHED_STATE
> [1224510842] unbound[30691:0] debug: mesh_run: validator module exit
> state is module_finished
> 
> and
> 
> [1224661793] unbound[11166:0] debug: attempt DS match algo 5 keytag 28371
> [1224661793] unbound[11166:0] debug: DS match digest ok, trying signature
> [1224661793] unbound[11166:0] debug: verify: wrong key for rrsig
> 
> They tried last SVN and still without success.  Wouter, could you take
> a look at this?  I manually checked if everything is OK and it looks ok
> for my plain sight.
> 
> Ondrej

Hi Ondrej,

Took a look.

And what turns out is that it complains that the RRSIG over the DNSKEY
has a bad signer name.  This turns out the be correct.

The smtp.cz DNSKEY RRSIG has a signer name of ".".  This should be
"smtp.cz", since it is self-signed.

- From below the line:
smtp.cz.		300	IN	RRSIG	DNSKEY 5 2 300 20081121224842 20081022224842 28371 .

Should have ended with smtp.cz.

This is why the validation fails.  I cannot say why BIND accept a bad
signer name.

Best regards,
   Wouter


dig @81.31.37.213 smtp.cz.     IN      DNSKEY +dnssec

; <<>> DiG 9.5.0-P2 <<>> @81.31.37.213 smtp.cz. IN DNSKEY +dnssec
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61233
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 3, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;smtp.cz.			IN	DNSKEY

;; ANSWER SECTION:
smtp.cz.		300	IN	DNSKEY	256 3 5
AwEAAdhkMxcEg/llTxFXfQy0GDnkZb5ZziYnAl9+aaYlMLK1XUk66zeo
fy2eTWR+pAz6/elohBWSnxVPEPLBD0H5JhsviyNTxcZXFb+s08vBf4jT
JNTHQQAdY70yAdOYGvTpKRNKn4p8gausx/57sZybyJPrMgKgAOwl59Ij y/YPRiJ9
smtp.cz.		300	IN	DNSKEY	257 3 5
AQO1gtiQNJnn/9e5cR76I3Tn1ziRs/p4Ba3wq5jvY1ZOAEfulGBxZy59
qj3iLWVyWd5dzYF1KqBES6oToCGxMXmVAP+QIAUCjWR71kwlTyCpg7ZM
d2PrcGjAzqPOoFlR7vdYGpIslzbwI71OOZQ7CVLDR8slR16qOMC8Yai8
IM9dtmptPRPCEdhM/3T576uPtZGVgGFdCixI9XeN3p8q38FsE7T0wbEU
YZBwF1AUrlo2T2d9/6v8wdktxGemxPAX6mXWOYfE3xY0zkoAwcHt5HiB
1d/cOr6JB0gJto6gHkfBccIlU/2cJ/Bg3K6A3ER8uPFcCGCuMOA2Qb62
IDg0XCA76bJlh1BocPzAjlG8beI9dJz3CZTIW0apneNb4lGyGVmAc2Gx
vrL/y7GHe9UfwqTnKzXDJcCzKahRNB9xD9TCuUIyChinnxys4BXcGRjM
EwPttihgdWjFKDXEWgY7QAMAL1s+hQzWM5TZ2FhSw+tlH4GuH+saeVJ4
0bdppsqXLD8gwrG9bH6lX6Hu/SIG89WLTC08+mbhg1GDXvti9p/Y4u+E
fV69eAG85y9F/tOYvR9Us0llWzg2gtnJr1y/qCgT9bVsyp6xGAd30H0Z
0pYr/xXzb4TnKVWZoZGEPdh47dAteFW0R+37Nl62l7dOuunQgzY/RQVl i3+fG1Gxizn0tQ==
smtp.cz.		300	IN	RRSIG	DNSKEY 5 2 300 20081121224842 20081022224842
25812 smtp.cz. 2BV1HCxoDAdADeyPjQzqtSID2RNUb4MEOgdx5vPyDHo1et/Lxu+w3v/R
UzJteuYva/e+9Tr6ixolMIpVfbzFTMdFWT8+gprbiihZ6lm91TFmAKMN
Q3yTqxJZ769/J6hrwzMJ63f45YTnb1BJfjW/fI0clNPP3WZAoZ5rJvCI 9Ao=
smtp.cz.		300	IN	RRSIG	DNSKEY 5 2 300 20081121224842 20081022224842
28371 . tQMSSQy4VQZqcbSEXcXvOwu9Z0kR4qwNo/U0d0fGuwyKQn23/9xzWlmX
yVihHjvXP6RGxoit/sTIvFZI3498/pzCaDqLJsXjI6aU9k6ERwOtknt6
nAjkaS6oJkUODrIo0t3rxvVG/HCnLK7EM1BDFhs5fd+1EI0LR3ZgCpIg
XjKiFe6+CoDTBAIdamnx9xR6N9SXyjdVsbKK3Tmzh+GsRf1du3rchmXc
FIQc1ua1WK8heqYNV8qTNq1NIlx4oy+OoDZdaef6E0R61zSsvT4guXnC
qBGgEUkpvBy8bEuo7YmmuEAmNDBYPsOBISUQxUMrMU1qLbIsfCjsturo
45UPg/GIVqPo4kthpLWHw0h+nz8cJLm6gGNUh2P/I3GYXngr9o4vyXns
GH/DbHDb4Q1rXJ1kODFoWBbSjCJ1fChQ/+Rmbrq2/xqBv43I4sm9W6yX
Qbp5Ydydyg+X0YBmrByBNmoq0cZZ0XUukU3MDs5TaAjV6P+qCqjr4u+Z
XsIpcE+tmPm6tlK5fCK+GBDvX4caeSJQwtitGaNRNetvkyMeW8p+ErbK
H5LA2q6bpS+PGkxcgYRG8bk5G+zQRdGhS9DJVGYDI8k4MrKRyAyxJgJ1
u/kxObkoWvvxFHiqzzUJMiRSeUT5gMT2EBGCXtFd9UmybM8X8Qt5jjvT G+wT1VmlUpw=

;; AUTHORITY SECTION:
smtp.cz.		86400	IN	NS	ns.dns4.cz.
smtp.cz.		86400	IN	NS	ns.dns4.net.
smtp.cz.		86400	IN	RRSIG	NS 5 2 86400 20081121224842 20081022224842
25812 smtp.cz. VzO3E7jApr/Pg7JZWM/XNWMM8NwFV628RZdmVJe/7NQya5hUgxON+LF0
nNPs09mA/lTzR0NQayz1T2M4ZgnxZsR3ayITFjVvRv+9vW6uLnBZDoQj
gMf1+4CGv/ZnXRrgNrg3Dz6qc3W/UHUTgbUCZHpdWCUO+6JQX/PW28pn RRk=

;; ADDITIONAL SECTION:
ns.dns4.net.		86400	IN	A	81.31.37.213
ns.dns4.cz.		86400	IN	A	81.95.96.2

;; Query time: 27 msec
;; SERVER: 81.31.37.213#53(81.31.37.213)
;; WHEN: Thu Oct 23 12:46:18 2008
;; MSG SIZE  rcvd: 1670

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkAVpkACgkQkDLqNwOhpPiJfQCgsTkeAX/7qhH/BVCms1jfKWi6
UCAAoIhtz89rZRVfAZSx4EjIV2CNR7hL
=P70U
-----END PGP SIGNATURE-----