Open BenoitPoulet opened 3 years ago
Did you add that DNSKEY record on line 10 yourself, or did Virtualmin add them?
This was added by Webmin, via "DNSSEC Parameters"
I found the problem, the salt i gaved was not in the format Bind was waiting for. The right format can be obtain via :
openssl rand -hex 8
There is no validation in the Webmin form ; so you can enter anything your like but you will get the error i said when saving.
Is there a way to validate that the salt is in the expected format, and has the correct hex encoding?
I'm not sur, but perhaps some consistency tests can be done in the form; by following theses specifications : https://tools.ietf.org/html/draft-ietf-dnsext-nsec3-08#section-4.1
BIND9
can automatically generate the NSEC3 fields, in fact, it can (and some say, should) generate, update and maintain all the DNSSEC
fields by using auto-dnssec maintain
and dnssec-policy
settings.
https://bind9.readthedocs.io/en/latest/advanced.html
Is there a way to validate that the salt is in the expected format, and has the correct hex encoding?
Jamie, why don't we use a regex to validate HEX string?
Is a regexp good enough though? Seems like the string can be in hex, but still not valid.
It says bad hex encoding, meaning it wants hex string in the end? Perhaps, xxd
command could help? Validating hex with regexp is not a problem. However, if BIND has a command to do it, we should use that.
Ok, it looks like what we really need validate is that in the DNSKEY record value, it's in a valid base64 format.
The thing is, those NSEC3PARAM
and DNSKEY
records were created by BIND's own tools - Webmin doesn't even allow you to enter those record values.
Hello,
Webmin 1.973 Bind 9.10.3
When i try to add NSSEC3 parameters in a zone, by this menu "Add DNSSEC Parameters Record", i have an error when i save :
Failed to save record : DNSSEC signing after records change failed : dnssec-signzone: error: dns_rdata_fromtext: /var/cache/bind/zones/unsigned/zone2.dnssec.hosts:10: near eol: bad hex encoding dnssec-signzone: fatal: failed loading zone from '/var/cache/bind/zones/unsigned/zone2.dnssec.hosts': bad hex encoding
The entry :![Capture](https://user-images.githubusercontent.com/2464712/114670602-78ad0600-9d03-11eb-8881-b1bad0c28084.PNG)
The zone file :
Regards