search

webmin / webmin

Powerful and flexible web-based server management control panel
http://www.webmin.com/
BSD 3-Clause "New" or "Revised" License
4.05k stars 618 forks source link

DNSSEC, NSSEC3 , error when saving #1473

Open BenoitPoulet opened 3 years ago

BenoitPoulet commented 3 years ago

Hello,

Webmin 1.973 Bind 9.10.3

When i try to add NSSEC3 parameters in a zone, by this menu "Add DNSSEC Parameters Record", i have an error when i save :

Failed to save record : DNSSEC signing after records change failed : dnssec-signzone: error: dns_rdata_fromtext: /var/cache/bind/zones/unsigned/zone2.dnssec.hosts:10: near eol: bad hex encoding dnssec-signzone: fatal: failed loading zone from '/var/cache/bind/zones/unsigned/zone2.dnssec.hosts': bad hex encoding

The entry : Capture

The zone file :

$ttl 3600
zone2.dnssec.   IN  SOA didv-dns-4.zone1.dnssec. toto.titi.fr. (
            1618330202
            3600
            600
            1209600
            3600 )
zone2.dnssec.   IN  NS  didv-dns-4.zone1.dnssec.
www.zone2.dnssec.   IN  A   5.5.5.5
zone2.dnssec.   25W IN  NSEC3PARAM  ( 1 0 5 jne888siehgeplkef )
zone2.dnssec.   IN  DNSKEY  257 3 8 AwEAAd8VuBUtxZnzDPtEAOybuqrkycCWnZTxsvv2npg3nN42hsYDjB2K ffxbdttxs1w9vMU4SlO7TjtoF9FAbXNr9H/HJofMmncx1eR3suxr/g98 XqH4XA/xyXjPFGKgnKp1GnpSQpvG9CxJuSBth7EE7bWPL++2LfpC9FPR oHli9HwI0zpjGSg71ZgegidjVynqCh5F2a+CimvEfvqGYu8Oj5k=
zone2.dnssec.   IN  DNSKEY  256 3 8 AwEAAaGRLB4S8hG/ZWtdy5zrPriVzaKuIgvjAd6NpbALTxaX3fUtzbRe JaSiZ3mVEB46PfdOzFuO7c6cLqFm+2KY2l5tkdT9i25fipyYswBVGQsU BvQIiU+36ldg7L9or0Wq/UeE51DiN41OhGlQUWCnSpqO0LF/ryQbGiIW ki5nSnWqFLQXvq/DAiBnhoblCXgJ8OXtzztN4ZQZqBI2DyVtlQc=

Regards

jcameron commented 3 years ago

Did you add that DNSKEY record on line 10 yourself, or did Virtualmin add them?

BenoitPoulet commented 3 years ago

This was added by Webmin, via "DNSSEC Parameters"

I found the problem, the salt i gaved was not in the format Bind was waiting for. The right format can be obtain via : openssl rand -hex 8

There is no validation in the Webmin form ; so you can enter anything your like but you will get the error i said when saving.

jcameron commented 3 years ago

Is there a way to validate that the salt is in the expected format, and has the correct hex encoding?

BenoitPoulet commented 3 years ago

I'm not sur, but perhaps some consistency tests can be done in the form; by following theses specifications : https://tools.ietf.org/html/draft-ietf-dnsext-nsec3-08#section-4.1

chris001 commented 3 years ago

BIND9 can automatically generate the NSEC3 fields, in fact, it can (and some say, should) generate, update and maintain all the DNSSEC fields by using auto-dnssec maintain and dnssec-policy settings. https://bind9.readthedocs.io/en/latest/advanced.html

iliajie commented 3 years ago

Is there a way to validate that the salt is in the expected format, and has the correct hex encoding?

Jamie, why don't we use a regex to validate HEX string?

jcameron commented 3 years ago

Is a regexp good enough though? Seems like the string can be in hex, but still not valid.

iliajie commented 3 years ago

It says bad hex encoding, meaning it wants hex string in the end? Perhaps, xxd command could help? Validating hex with regexp is not a problem. However, if BIND has a command to do it, we should use that.

jcameron commented 3 years ago

Ok, it looks like what we really need validate is that in the DNSKEY record value, it's in a valid base64 format.

jcameron commented 3 years ago

The thing is, those NSEC3PARAM and DNSKEY records were created by BIND's own tools - Webmin doesn't even allow you to enter those record values.