New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SOA-EDIT should be ignored in PRESIGNED case #5814

Closed
Habbie opened this Issue Oct 12, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@Habbie
Member

Habbie commented Oct 12, 2017

  • Program: Authoritative
  • Issue type: Bug report

Short description

When both SOA-EDIT and PRESIGNED are set on a zone, we bump the SOA, making the signature invalid.

Environment

  • Operating system: Debian 9.2
  • Software version: 4.1.0-rc1, 4.0.0, 4.0.4, rel/auth-4.0.x as of fbae572
  • Software source: repo.powerdns.com

Steps to reproduce

  1. slave a signed zone
  2. configure SOA-EDIT metadata on it
  3. validate the SOA

Expected behaviour

the SOA validates

Actual behaviour

the SOA does not validate

Other information

from pdns-public-ns1, on the public pdns instance that is a slave to the hidden, signing, master:

sqlite> select * from domains;
...
41|powerdns.com|127.0.0.2|1507792736|SLAVE|2017101201|
sqlite> select * from domainmetadata where domain_id=41;
9|41|SOA-EDIT|INCEPTION-INCREMENT
11|41|PRESIGNED|1

dig output:

; <<>> DiG 9.11.2 <<>> +dnssec soa powerdns.com @pdns-public-ns1.powerdns.com.
...
;; ANSWER SECTION:
powerdns.com.		3600	IN	SOA	pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2017101203 10800 3600 604800 3600
powerdns.com.		3600	IN	RRSIG	SOA 8 2 3600 20171026000000 20171005000000 36021 powerdns.com. C/VixIC4NriFNtWrA9eTUprDPos9lph36ol+klQ6W7SAdI86QL5SvRVT jREjdzignOjl2pKUv3mjeOPBR+lZhNdJBo1OD9Gpy6wv8fLwE9tM9/Rk qmM3Sq7/bfUw+y2tRV9UudKRWJLTHLSCUMTisyGtLfaOt68h+/4USfgR ZOU=

remove it:

sqlite> delete from domainmetadata where kind='SOA-EDIT';

wait for cache. Retry dig:

;; ANSWER SECTION:
powerdns.com.		3600	IN	RRSIG	SOA 8 2 3600 20171026000000 20171005000000 36021 powerdns.com. C/VixIC4NriFNtWrA9eTUprDPos9lph36ol+klQ6W7SAdI86QL5SvRVT jREjdzignOjl2pKUv3mjeOPBR+lZhNdJBo1OD9Gpy6wv8fLwE9tM9/Rk qmM3Sq7/bfUw+y2tRV9UudKRWJLTHLSCUMTisyGtLfaOt68h+/4USfgR ZOU=
powerdns.com.		3600	IN	SOA	pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2017101201 10800 3600 604800 3600

note slightly lowered serial. This one validates.

@Habbie Habbie added this to the auth-4.1.0 milestone Oct 12, 2017

Habbie added a commit to Habbie/pdns that referenced this issue Oct 12, 2017

Habbie added a commit to Habbie/pdns that referenced this issue Oct 12, 2017

Habbie added a commit to Habbie/pdns that referenced this issue Oct 12, 2017

@rgacogne rgacogne closed this in 3ba1065 Oct 12, 2017

rgacogne added a commit that referenced this issue Oct 12, 2017

Merge pull request #5815 from Habbie/presigned-soa-edit
ignore SOA-EDIT for PRESIGNED zones. Fixes #5814

pieterlexis added a commit to pieterlexis/pdns that referenced this issue Nov 3, 2017

pieterlexis added a commit to pieterlexis/pdns that referenced this issue Nov 3, 2017

pieterlexis added a commit to pieterlexis/pdns that referenced this issue Nov 3, 2017

pieterlexis added a commit to pieterlexis/pdns that referenced this issue Nov 7, 2017

pieterlexis added a commit to pieterlexis/pdns that referenced this issue Nov 7, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment