search

niclabs / dns-tools

DNS tools for zone signature (file, pkcs11-hsm) and validation, and zone digest (ZONEMD)
MIT License
16 stars 4 forks source link

Zone file without origin issue #12

Closed yiyuandao closed 4 years ago

yiyuandao commented 4 years ago

Hi,

I had tested the hsm-tools in Yeti Project, but got only DNSKEY RRSIGs signed.

zone: example.com

$TTL 3600
@ IN SOA ns1 hostmaster.example.com. 2020032600 1800 900 604800 86400
  IN NS ns1
  IN NS ns2

ns1 IN A 127.0.0.1
ns2 IN A 127.0.0.1
www IN A 127.0.0.1
./hsm-tools sign pkcs11 -p ./dtc.so -f ./example.com.old -3 -z example.com -o example.com.signed.1 -a rsa

log:

SigKeys found... checking validity
Checking key class 2 id zsk and valid true
Found valid Public ZSK
Checking key class 3 id zsk and valid true
Found valid Private ZSK
Checking key class 2 id ksk and valid true
Found valid Public KSK
Checking key class 3 id ksk and valid true
Found valid Private KSK
Start signing...
DS: example.com.        0       IN      DS      42415 8 1 DA544820B54CCA739B33E969D6B33CD4FF2E3DC0
File signed successfully.

example.com.signed.1 content:

example.com.    0       IN      RRSIG   DNSKEY 8 2 0 20210330015229 20200330015229 42415 example.com. L4q19RN46EerT4bIhkYwdKKkaE0g45ehgnxm107VVe/i28UEUC2BjRf6Nw6RAr9i1YcF//goOLL4q89fz731ZBFqayuG02luBM/AVD8V0h3YPNbo51rvHMJpfUDarBTBfO0Dx6wljb3PQSan3aXzB8IXS5Pu/bSeGu6aaDT9oIFpD93vo+lTpv1DgzFCe1mE0eBBtBqHAzo0bcU1ruhYBE9cKgj8FeU6U2vy5fIkulZ2JLnz9VxdsurtIgD6vAclXKFJI2WuUBT6A1IXyB/gjJoA1/S8kgZofoTrjAVqV+QaDjDAA4zl4ysQahi7693GHqWStsY///9kUmtsQElR2w==
example.com.    0       IN      DNSKEY  256 3 8 AwEAAV0ze7GaZWRCMIRjPx1dIo8bno9ynq3mB2gRFG2yzR+EdEVZ0xVeqKxuAyO33Tv7gWq4VoPHkXmDO4/YgxLlFNM7G0DjB/Hl0hcvvqhQ4pFNXC9V/saFclS1dAMrfg11ElBqOom+Q2TvwL1XON+uIxFz0JUalWKiFmn1/DAYcdf9
example.com.    0       IN      DNSKEY  257 3 8 AwEAAVvvXb00vf/YjN8CLXFOFGKOfAZhD6lxZYiUj4Z91cMDhufeulnw8xJrMGPEeDKItpXlOUQBEr2v16OsvUQrAYgEsI3cFUInq3EjpaPqcd8CQYZ+PuyMn26KWX32v6xI4zhSS25UjSNshU4+CQPCZD5o/4eCke755P22Ev95Srw1vahxW76ITLpyy98FpMvGx60LdLM1kKCmW3EvHHih/ehfgjxp6KcEuVd12Vif57YxIwMtcI9T9QM5X8bkV6DWX0aQx87GBuT7SeK9TFeo0qe6iz0L4djqmHyYm0CrdclcnLPYaxVf1k01hW7UD+mEtBT6IrHpJcMpzOaX4Bs/HvU=

Finally I found that there is no $ORIGIN include in zone file, hsm-tools can't get the exactly domain name.
After I added the $ORIGIN example.com., i got the whole signed zone.

my suggestions:

  1. i had pass the zone name option '-z', so I think no need to add the origin to zone file.
  2. if the hsm-tools found the wrong zone file, it should panic, and give the error log.
eriverosr commented 4 years ago

Thanks for the report. I think we have fixed the bug by now. We forgot to use the zone argument in the zone parsing process.

I also added your second suggestion: If a parsed RR has a name from a zone different than -z (or SOA), it should log the problem and abort.