23 Čen
2017
23 Čen
'17
14:08
Hello Knot DNS users,
CZ.NIC has released Knot DNS 2.5.2 and Knot DNS 2.4.5. Beside several fixes and
improvements,
these versions fix a flaw within the TSIG protocol implementation that would allow an
attacker
with a valid key name and algorithm to bypass the TSIG authentication if no additional
ACL
restrictions is set. This vulnerability was discovered by security experts from
Synacktiv.
Special thanks to them!
Full changelogs:
https://gitlab.labs.nic.cz/labs/knot/raw/v2.5.2/NEWS
https://gitlab.labs.nic.cz/labs/knot/raw/v2.4.5/NEWS
Documentation and migration notes:
https://www.knot-dns.cz/docs/2.5/html/
https://www.knot-dns.cz/docs/2.5/html/migration.html#upgrade-2-4-x-to-2-5-x
Source code:
https://secure.nic.cz/files/knot-dns/knot-2.5.2.tar.xz
https://secure.nic.cz/files/knot-dns/knot-2.5.2.tar.xz.asc
https://secure.nic.cz/files/knot-dns/knot-2.4.5.tar.xz
https://secure.nic.cz/files/knot-dns/knot-2.4.5.tar.xz.asc
Regards,
Daniel
27 Čen
27 Čen
6:25
New subject: Knot 2.5.2 fails to load DNSSEC keys
Hi,
My Knot DNS was upgraded from 2.5.1 to 2.5.2 and now it is unable to
load zone DNSSEC keys. Below are some relevant logs:
Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] zone will be
loaded
Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] DNSSEC,
loaded key, tag 14223, algorithm 8, KSK no, ZSK yes, public no, ready
no, active yes
Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] DNSSEC,
loaded key, tag 61894, algorithm 8, KSK yes, ZSK no, public no, ready
no, active yes
Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] DNSSEC, keys
validation failed (no keys for signing)
Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] DNSSEC,
failed to load keys (no keys for signing)
Jun 27 07:10:03 vertigo knotd[18479]: 2017-06-27T07:10:03 error:
[nxdomain.fi.] DNSSEC, failed to load keys (no keys for signing)
Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] zone event
'load' failed (no keys for signing)
When running "keymgr nxdomain.fi list", the keys are listed, though. I
have also checked that the /var/lib/knot and everything under it is
owned by knot:knot, so this shouldn't be a file permission issue. I also
tried to manually set the key timing argument, but it didn't make any
difference.
Antti
7:33
New subject: Knot 2.5.2 fails to load DNSSEC keys
Hi Antti,
what shows up to be wrong is:
public no, ready no, active yes
You shall be able to fix it by setting the keys timing via keymgr such
way that
publish, ready and active times would be in the past; retire and remove
times in the future.
If you still have any problems, please send us the output of keymgr list
command.
Unfortunately, I have no idea how this could happen. If you find out how
to reproduce the issue, I would be very glad.
Thanks much,
Libor
Dne 27.6.2017 v 06:25 Antti Ristimäki napsal(a):
Hi,
My Knot DNS was upgraded from 2.5.1 to 2.5.2 and now it is unable to
load zone DNSSEC keys. Below are some relevant logs:
Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] zone will be
loaded
Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] DNSSEC,
loaded key, tag 14223, algorithm 8, KSK no, ZSK yes, public no, ready
no, active yes
Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] DNSSEC,
loaded key, tag 61894, algorithm 8, KSK yes, ZSK no, public no, ready
no, active yes
Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] DNSSEC, keys
validation failed (no keys for signing)
Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] DNSSEC,
failed to load keys (no keys for signing)
Jun 27 07:10:03 vertigo knotd[18479]: 2017-06-27T07:10:03 error:
[nxdomain.fi.] DNSSEC, failed to load keys (no keys for signing)
Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] zone event
'load' failed (no keys for signing)
When running "keymgr nxdomain.fi list", the keys are listed, though. I
have also checked that the /var/lib/knot and everything under it is
owned by knot:knot, so this shouldn't be a file permission issue. I also
tried to manually set the key timing argument, but it didn't make any
difference.
Antti
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
8:51
New subject: Knot 2.5.2 fails to load DNSSEC keys
Hi Libor,
OK, I just did set the publish, ready and active timing parameters
manually on the keys and now it works again.
By the way, is it OK if all those three timestamps are the same or does
it cause some confusion to Knot?
Antti
On 27.06.2017 08:33, libor.peltan(a)nic.cz wrote:
Hi Antti,
what shows up to be wrong is:
public no, ready no, active yes
You shall be able to fix it by setting the keys timing via keymgr such
way that
publish, ready and active times would be in the past; retire and
remove times in the future.
If you still have any problems, please send us the output of keymgr
list command.
Unfortunately, I have no idea how this could happen. If you find out
how to reproduce the issue, I would be very glad.
Thanks much,
Libor
Dne 27.6.2017 v 06:25 Antti Ristimäki napsal(a):
Hi,
My Knot DNS was upgraded from 2.5.1 to 2.5.2 and now it is unable to
load zone DNSSEC keys. Below are some relevant logs:
Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] zone will be
loaded
Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] DNSSEC,
loaded key, tag 14223, algorithm 8, KSK no, ZSK yes, public no, ready
no, active yes
Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] DNSSEC,
loaded key, tag 61894, algorithm 8, KSK yes, ZSK no, public no, ready
no, active yes
Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] DNSSEC, keys
validation failed (no keys for signing)
Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] DNSSEC,
failed to load keys (no keys for signing)
Jun 27 07:10:03 vertigo knotd[18479]: 2017-06-27T07:10:03 error:
[nxdomain.fi.] DNSSEC, failed to load keys (no keys for signing)
Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] zone event
'load' failed (no keys for signing)
When running "keymgr nxdomain.fi list", the keys are listed, though. I
have also checked that the /var/lib/knot and everything under it is
owned by knot:knot, so this shouldn't be a file permission issue. I also
tried to manually set the key timing argument, but it didn't make any
difference.
Antti
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
9:09
New subject: Knot 2.5.2 fails to load DNSSEC keys
Antti,
Glad it works again :)
Yes, those timestamps can be all equal (makes sense for created ..
active). Some confusion could only arise if they were in wrong time order.
Libor
Dne 27.6.2017 v 08:51 Antti Ristimäki napsal(a):
Hi Libor,
OK, I just did set the publish, ready and active timing parameters
manually on the keys and now it works again.
By the way, is it OK if all those three timestamps are the same or does
it cause some confusion to Knot?
Antti
On 27.06.2017 08:33, libor.peltan(a)nic.cz wrote:
> Hi Antti,
>
> what shows up to be wrong is:
>
> public no, ready no, active yes
>
> You shall be able to fix it by setting the keys timing via keymgr such
> way that
>
> publish, ready and active times would be in the past; retire and
> remove times in the future.
>
> If you still have any problems, please send us the output of keymgr
> list command.
>
> Unfortunately, I have no idea how this could happen. If you find out
> how to reproduce the issue, I would be very glad.
>
> Thanks much,
>
> Libor
>
>
> Dne 27.6.2017 v 06:25 Antti Ristimäki napsal(a):
>> Hi,
>>
>> My Knot DNS was upgraded from 2.5.1 to 2.5.2 and now it is unable to
>> load zone DNSSEC keys. Below are some relevant logs:
>>
>> Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] zone will be
>> loaded
>> Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] DNSSEC,
>> loaded key, tag 14223, algorithm 8, KSK no, ZSK yes, public no, ready
>> no, active yes
>> Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] DNSSEC,
>> loaded key, tag 61894, algorithm 8, KSK yes, ZSK no, public no, ready
>> no, active yes
>> Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] DNSSEC, keys
>> validation failed (no keys for signing)
>> Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] DNSSEC,
>> failed to load keys (no keys for signing)
>> Jun 27 07:10:03 vertigo knotd[18479]: 2017-06-27T07:10:03 error:
>> [nxdomain.fi.] DNSSEC, failed to load keys (no keys for signing)
>> Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] zone event
>> 'load' failed (no keys for signing)
>>
>> When running "keymgr nxdomain.fi list", the keys are listed, though. I
>> have also checked that the /var/lib/knot and everything under it is
>> owned by knot:knot, so this shouldn't be a file permission issue. I also
>> tried to manually set the key timing argument, but it didn't make any
>> difference.
>>
>> Antti
>> _______________________________________________
>> knot-dns-users mailing list
>> knot-dns-users(a)lists.nic.cz
>> https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
15:54
New subject: Knot 2.5.2 fails to load DNSSEC keys
Hi,
Not sure if it's related, but I noticed trouble with pykeymgr
I was notified of the same sympthones when upgrading the port to 2.5.1
I suspected a minimum required version for python to make the egg.
Using 3.0+ in stead of 2.7 solved it under 2.5.1,
but 2.5.2 didn't had that issue at all.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220241
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220258
--
Met vriendelijke groet,
With kind regards,
Leo Vandewoestijne
< @dns.company>
<www.dns.company>
7:36
New subject: Knot 2.5.2 fails to load DNSSEC keys
Hi Antti,
as a very first thing - can you check the permissions on *mdb files in your
kasp-db directory?
Ondřej
On 27 June 2017 06:26:02 Antti Ristimäki <antti(a)nxdomain.fi> wrote:
Hi,
My Knot DNS was upgraded from 2.5.1 to 2.5.2 and now it is unable to
load zone DNSSEC keys. Below are some relevant logs:
Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] zone will be
loaded
Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] DNSSEC,
loaded key, tag 14223, algorithm 8, KSK no, ZSK yes, public no, ready
no, active yes
Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] DNSSEC,
loaded key, tag 61894, algorithm 8, KSK yes, ZSK no, public no, ready
no, active yes
Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] DNSSEC, keys
validation failed (no keys for signing)
Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] DNSSEC,
failed to load keys (no keys for signing)
Jun 27 07:10:03 vertigo knotd[18479]: 2017-06-27T07:10:03 error:
[nxdomain.fi.] DNSSEC, failed to load keys (no keys for signing)
Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] zone event
'load' failed (no keys for signing)
When running "keymgr nxdomain.fi list", the keys are listed, though. I
have also checked that the /var/lib/knot and everything under it is
owned by knot:knot, so this shouldn't be a file permission issue. I also
tried to manually set the key timing argument, but it didn't make any
difference.
Antti
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
8:15
New subject: Knot 2.5.2 fails to load DNSSEC keys
So, ignore me, Libor has better eyes for reading fresh logs in the morning...
On 27 June 2017 7:36:25 a.m. Ondřej Surý <ondrej.sury(a)nic.cz> wrote:
Hi Antti,
as a very first thing - can you check the permissions on *mdb files in your
kasp-db directory?
Ondřej
On 27 June 2017 06:26:02 Antti Ristimäki <antti(a)nxdomain.fi> wrote:
Hi,
My Knot DNS was upgraded from 2.5.1 to 2.5.2 and now it is unable to
load zone DNSSEC keys. Below are some relevant logs:
Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] zone will be
loaded
Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] DNSSEC,
loaded key, tag 14223, algorithm 8, KSK no, ZSK yes, public no, ready
no, active yes
Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] DNSSEC,
loaded key, tag 61894, algorithm 8, KSK yes, ZSK no, public no, ready
no, active yes
Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] DNSSEC, keys
validation failed (no keys for signing)
Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] DNSSEC,
failed to load keys (no keys for signing)
Jun 27 07:10:03 vertigo knotd[18479]: 2017-06-27T07:10:03 error:
[nxdomain.fi.] DNSSEC, failed to load keys (no keys for signing)
Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] zone event
'load' failed (no keys for signing)
When running "keymgr nxdomain.fi list", the keys are listed, though. I
have also checked that the /var/lib/knot and everything under it is
owned by knot:knot, so this shouldn't be a file permission issue. I also
tried to manually set the key timing argument, but it didn't make any
difference.
Antti
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
2704
days inactive
2708
days old
7 comments
5 participants
participants (5)
-
Antti Ristimäki -
Daniel Salzman -
Leo Vandewoestijne -
libor.peltan@nic.cz -
Ondřej Surý