[Pkg-pdns-maintainers] Bug#697904: pdns-server: Activating ECDSA keys to a zone makes pdns stop serving that zone and send out SERVFAIL

Pieter Lexis pieter at kumina.nl
Fri Jan 11 08:35:06 UTC 2013 

Package: pdns-server
Version: 3.1-4
Severity: important

Dear Maintainer,

After installing, I did the following:

pdnssec secure-zone kumina.nl
pdnssec add-zone-key kumina.nl zsk ecdsa256 256
pdnssec activate-zone-key kumina.nl 16

I then get the following in the log when I request a record from that zone:
Jan 11 09:12:44 pdns-master pdns[22359]: Exception building answer packet (CryptoMaterial: this object contains invalid values) sending out servfail

pdnssec show-zone also shows the key as being algorithm 8 instead of 13:

Zone has NSEC semantics
Zone is not presigned
keys: 
ID = 13 (KSK), tag = 10682, algo = 8, bits = 2048	Active: 1
KSK DNSKEY = kumina.nl IN DNSKEY 257 3 8 AwEAAYpSCMo/Ti7I2aZZLEILwCVF6W0xzhXDY/nV5LHjblmjHxv+4E3JnLcsPjAnNnFc6Jb1u4XLbgaxas+EExUYsezoS1WUzSVqf643z4Rs6AcYKdVY7qLfzgRwPW0DiDjHRxawqnl0cNaL7NRMwGG/e8Eg7HCdcSNcMDr6r2mrvAtHka6roH7qw+GkKOwsR3cE9hGHoeIg4KS+TlR4C9zF/yc5KOTfI7TbcQPiyLLRIz+StGmBpVIkjfroUevdpiiJ2xMOQyR7QgyCXXgyzhBKSmx8hjKZhsCVIA71blpJo9/yVhwRSX3IHXiXa1fAiNlk6GIMPJFcGFPUW/nibzsZntM=
DS = kumina.nl IN DS 10682 8 1 ad61b310e025c7ac4e72cc106b2b7e7ee4ae4fa0
DS = kumina.nl IN DS 10682 8 2 b4cc14b1acdb3d78a901e6d4b8b441a2ae9b92159c83acb2e4f50ed2a3fdc9ed

ID = 14 (ZSK), tag = 55575, algo = 8, bits = 1024	Active: 1
ID = 15 (ZSK), tag = 54753, algo = 8, bits = 1024	Active: 0
ID = 16 (ZSK), tag = 1032, algo = 8, bits = 256	Active: 0

This bug has been reported upstream[0] and has been fixed in SVN commit 3036. The patch applies cleanly to the debian sources (tested using a quilt patch) and works as expected. Please add it to the powerdns in Debian to make sure people don't end up with broken authoritative server.

0- wiki.powerdns.com/trac/ticket/670

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages pdns-server depends on:
ii  adduser                         3.113+nmu3
ii  debconf [debconf-2.0]           1.5.49
ii  libboost-program-options1.49.0  1.49.0-3.1
ii  libboost-serialization1.49.0    1.49.0-3.1
ii  libc6                           2.13-37
ii  libcrypto++9                    5.6.1-6
ii  libgcc1                         1:4.7.2-4
ii  liblua5.1-0                     5.1.5-4
ii  libpolarssl0                    1.1.4-1
ii  libsqlite3-0                    3.7.13-1
ii  libstdc++6                      4.7.2-4
ii  ucf                             3.0025+nmu3
ii  zlib1g                          1:1.2.7.dfsg-13

pdns-server recommends no packages.

Versions of packages pdns-server suggests:
ii  pdns-backend-mysql [pdns-backend]  3.1-4
pn  pdns-recursor                      <none>

-- debconf information excluded

More information about the Pkg-pdns-maintainers mailing list