Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 616
    • Issues 616
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 94
    • Merge requests 94
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Issues
  • #3014
Closed
Open
Issue created Nov 17, 2021 by Mark Andrews@markaDeveloper

Broken ECDSA signatures may be generated with certain private keys

See below for what is currently believed to be the actual culprit behind intermittent validation failures occurring in system tests.

The original description of this issue follows:


check_signer loops directly over val->event->sigrdataset which lead to spurious validation failures. Cloning val->event->sigrdataset will make its use independent of any looping over the rdataset.

This was found by examining some unexpected failures in the dnssec system test. This was possibly exposed by the use of OpenSSL 3.0.0.

17-Nov-2021 12:04:59.413 received packet from 10.53.0.2#5300
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  36571
;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 2273409052bb1631010000006194553b76a5297853293327
;; QUESTION SECTION:
;auto-nsec3.example.            IN      A

;; AUTHORITY SECTION:
;auto-nsec3.example.    300     IN      NS      ns.auto-nsec3.example.
;auto-nsec3.example.    300     IN      DS      52528 13 2 (
;                                               549C4AB8A70D7AA3A65C3F8003DF
;                                               53E425C5B9AFDE20399C6CA61009
;                                               3D89781E )
;auto-nsec3.example.    300     IN      RRSIG   DS 8 2 300 (
;                                               20211217000313 20211117000313 34390 example.
;                                               jFWU9BNShOu9DCawKevJQi9twGb7
;                                               eNmGWPzkMUT7qkDgK2Cyk9Duz1GA
;                                               ibrcbY0sIp4Rp0kkJnZmtGIsp0Xh
;                                               54GWYFOGgCZZ0dnVTSSxWnvhtNOl
;                                               TdpppKq6E1sZDHV0NTfiofP1Nmlo
;                                               rYrUyouy5BwMW3F7taUvRZ4L/QVK
;                                               IMU6nN6Ql4F1f/5f5Anr2PAPfJR0
;                                               ctA3+Y/Kh9E9kylJLg== )

;; ADDITIONAL SECTION:
;ns.auto-nsec3.example. 300     IN      A       10.53.0.3
17-Nov-2021 12:04:59.414 received packet from 10.53.0.3#5300
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  29588
;; flags: qr aa; QUESTION: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: ed700d3254682696010000006194553b1dedf2a8fb5abfa4
;; QUESTION SECTION:
;auto-nsec3.example.            IN      DNSKEY

;; ANSWER SECTION:
;auto-nsec3.example.    300     IN      DNSKEY  256 3 13 (
;                                               fwG+e1gwVJk7+gwjLrzYKK/QDkSo
;                                               ZBapSLxWf/9m/oGHP2QMuH0td1UD
;                                               XeWw486VfvyGr9WfFVqUiMqsYea+
;                                               8A==
;                                               ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 52210
;auto-nsec3.example.    300     IN      DNSKEY  257 3 13 (
;                                               Zo+EoLnluv1C/L6QiZlj/Mywrv4/
;                                               kX3s0L4jx9hQ78S862nhIGlMndLX
;                                               fdq+D+sfEFf9WvN2LDK/olykcPc7
;                                               1A==
;                                               ) ; KSK; alg = ECDSAP256SHA256 ; key id = 52528
;auto-nsec3.example.    300     IN      DNSKEY  257 3 13 (
;                                               zdEFO/z7PiHd4NwRkZ94ef4m76yi
;                                               GwrhUd3oGIssEgN73XvDbdWyPiQl
;                                               EVvVmnTjwF/rFDIRF+8Ip4yvJheI
;                                               Ow==
;                                               ) ; KSK; alg = ECDSAP256SHA256 ; key id = 6412
;auto-nsec3.example.    300     IN      DNSKEY  256 3 13 (
;                                               1O4dFAm+FtWWN/h10whUgudZxPvj
;                                               hFm7xYcPdWTbhG9v8lI3nqdvwAz0
;                                               42KmR6bOhfHBo96/s8ENKiVSdGH4
;                                               Kg==
;                                               ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 64471
;auto-nsec3.example.    300     IN      RRSIG   DNSKEY 13 2 300 (
;                                               20211217010315 20211117000316 6412 auto-nsec3.example.
;                                               /ASeAP/nKeeOIPGYfDY/iexF/UWz
;                                               lbum+6++QYIyjQt5pw6zmSfo/yZz
;                                               QS1KD0uImVqGC/dTotg3s9abo8hY
;                                               nA== )
;auto-nsec3.example.    300     IN      RRSIG   DNSKEY 13 2 300 (
;                                               20211217010315 20211117000316 52528 auto-nsec3.example.
;                                               QEwKW9Hzufb4savsi2Wagt0Ts6Cg
;                                               miQkNCKNzmcGyNGHrreMeOGMC+so
;                                               XnrQbYgVLd9geyDSXDGkjDjvkPa4
;                                               nQ== )
17-Nov-2021 12:04:59.414 fctx 0x123a0ec00(auto-nsec3.example/DNSKEY): rctx_answer
17-Nov-2021 12:04:59.414 log_ns_ttl: fctx 0x123a0ec00: rctx_answer: auto-nsec3.example (in 'auto-nsec3.example'?): 1 300
17-Nov-2021 12:04:59.414 fctx 0x123a0ec00(auto-nsec3.example/DNSKEY): cache_message
17-Nov-2021 12:04:59.414 fctx 0x123a0ec00(auto-nsec3.example/DNSKEY): cache_name
17-Nov-2021 12:04:59.414 fctx 0x123a0ec00(auto-nsec3.example/DNSKEY): resquery_response done
17-Nov-2021 12:04:59.414 fctx 0x123a0ec00(auto-nsec3.example/DNSKEY): [result: success] query canceled in rctx_done(); responding
17-Nov-2021 12:04:59.414 fctx 0x123a0ec00(auto-nsec3.example/DNSKEY): cancelquery
17-Nov-2021 12:04:59.414 dispatch 0x121f0eef0: detach: refcount 2
17-Nov-2021 12:04:59.414 fctx 0x123a0ec00(auto-nsec3.example/DNSKEY): wait for validator
17-Nov-2021 12:04:59.414 fctx 0x123a0ec00(auto-nsec3.example/DNSKEY): cancelqueries
17-Nov-2021 12:04:59.414 dispatch 0x121f0eef0: detach: refcount 1
17-Nov-2021 12:04:59.414 validating auto-nsec3.example/DNSKEY: starting
17-Nov-2021 12:04:59.414 validating auto-nsec3.example/DNSKEY: attempting positive response validation
17-Nov-2021 12:04:59.414 validating auto-nsec3.example/DNSKEY: validate_dnskey: creating validator for auto-nsec3.example DS
17-Nov-2021 12:04:59.414   validating auto-nsec3.example/DS: starting
17-Nov-2021 12:04:59.414   validating auto-nsec3.example/DS: attempting positive response validation
17-Nov-2021 12:04:59.414   validating auto-nsec3.example/DS: keyset with trust secure
17-Nov-2021 12:04:59.414   validating auto-nsec3.example/DS: verify rdataset (keyid=34390): success
17-Nov-2021 12:04:59.414   validating auto-nsec3.example/DS: marking as secure, noqname proof not needed
17-Nov-2021 12:04:59.414   validator @0x123a14e00: dns_validator_destroy
17-Nov-2021 12:04:59.414 validating auto-nsec3.example/DNSKEY: in validator_callback_ds
17-Nov-2021 12:04:59.414 validating auto-nsec3.example/DNSKEY: dsset with trust secure
17-Nov-2021 12:04:59.414 validating auto-nsec3.example/DNSKEY: verify rdataset (keyid=52528): RRSIG failed to verify
17-Nov-2021 12:04:59.414 validating auto-nsec3.example/DNSKEY: no RRSIG matching DS key
17-Nov-2021 12:04:59.414 validating auto-nsec3.example/DNSKEY: no valid signature found (DS)
17-Nov-2021 12:04:59.414 fctx 0x123a0ec00(auto-nsec3.example/DNSKEY): received validation completion event
17-Nov-2021 12:04:59.414 validator @0x12393cc00: dns_validator_destroy
17-Nov-2021 12:04:59.414 fctx 0x123a0ec00(auto-nsec3.example/DNSKEY): validation failed
17-Nov-2021 12:04:59.414 fctx 0x123a0ec00(auto-nsec3.example/DNSKEY): add_bad
17-Nov-2021 12:04:59.414 no valid RRSIG resolving 'auto-nsec3.example/DNSKEY/IN': 10.53.0.3#5300
Edited Nov 18, 2021 by Michał Kępień
Assignee
Assign to
Time tracking