[Pkg-pdns-maintainers] Bug#697904: pdns-server: Activating ECDSA keys to a zone makes pdns stop serving that zone and send out SERVFAIL
Pieter Lexis
pieter at kumina.nl
Fri Jan 11 08:35:06 UTC 2013
Package: pdns-server
Version: 3.1-4
Severity: important
Dear Maintainer,
After installing, I did the following:
pdnssec secure-zone kumina.nl
pdnssec add-zone-key kumina.nl zsk ecdsa256 256
pdnssec activate-zone-key kumina.nl 16
I then get the following in the log when I request a record from that zone:
Jan 11 09:12:44 pdns-master pdns[22359]: Exception building answer packet (CryptoMaterial: this object contains invalid values) sending out servfail
pdnssec show-zone also shows the key as being algorithm 8 instead of 13:
Zone has NSEC semantics
Zone is not presigned
keys:
ID = 13 (KSK), tag = 10682, algo = 8, bits = 2048 Active: 1
KSK DNSKEY = kumina.nl IN DNSKEY 257 3 8 AwEAAYpSCMo/Ti7I2aZZLEILwCVF6W0xzhXDY/nV5LHjblmjHxv+4E3JnLcsPjAnNnFc6Jb1u4XLbgaxas+EExUYsezoS1WUzSVqf643z4Rs6AcYKdVY7qLfzgRwPW0DiDjHRxawqnl0cNaL7NRMwGG/e8Eg7HCdcSNcMDr6r2mrvAtHka6roH7qw+GkKOwsR3cE9hGHoeIg4KS+TlR4C9zF/yc5KOTfI7TbcQPiyLLRIz+StGmBpVIkjfroUevdpiiJ2xMOQyR7QgyCXXgyzhBKSmx8hjKZhsCVIA71blpJo9/yVhwRSX3IHXiXa1fAiNlk6GIMPJFcGFPUW/nibzsZntM=
DS = kumina.nl IN DS 10682 8 1 ad61b310e025c7ac4e72cc106b2b7e7ee4ae4fa0
DS = kumina.nl IN DS 10682 8 2 b4cc14b1acdb3d78a901e6d4b8b441a2ae9b92159c83acb2e4f50ed2a3fdc9ed
ID = 14 (ZSK), tag = 55575, algo = 8, bits = 1024 Active: 1
ID = 15 (ZSK), tag = 54753, algo = 8, bits = 1024 Active: 0
ID = 16 (ZSK), tag = 1032, algo = 8, bits = 256 Active: 0
This bug has been reported upstream[0] and has been fixed in SVN commit 3036. The patch applies cleanly to the debian sources (tested using a quilt patch) and works as expected. Please add it to the powerdns in Debian to make sure people don't end up with broken authoritative server.
0- wiki.powerdns.com/trac/ticket/670
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages pdns-server depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.49
ii libboost-program-options1.49.0 1.49.0-3.1
ii libboost-serialization1.49.0 1.49.0-3.1
ii libc6 2.13-37
ii libcrypto++9 5.6.1-6
ii libgcc1 1:4.7.2-4
ii liblua5.1-0 5.1.5-4
ii libpolarssl0 1.1.4-1
ii libsqlite3-0 3.7.13-1
ii libstdc++6 4.7.2-4
ii ucf 3.0025+nmu3
ii zlib1g 1:1.2.7.dfsg-13
pdns-server recommends no packages.
Versions of packages pdns-server suggests:
ii pdns-backend-mysql [pdns-backend] 3.1-4
pn pdns-recursor <none>
-- debconf information excluded
More information about the Pkg-pdns-maintainers
mailing list