starred/hickory-dns

Fork 0

mirror of https://github.com/hickory-dns/hickory-dns.git synced 2026-04-25 19:25:56 +03:00

[GH-ISSUE #556] Server: The state of Dynamic DNS with SIG(0) #534

New issue

Closed

opened 2026-03-15 22:59:50 +03:00 by kerem · 3 comments

kerem commented

2026-03-15 22:59:50 +03:00

Owner

Originally created by @Darkspirit on GitHub (Sep 3, 2018).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/556

https://manpages.debian.org/testing/dnsutils/nsupdate.1.en.html

The -k may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC-MD5 key.

cargo install --git https://github.com/bluejekyll/trust-dns --features dnssec-openssl,dnssec-ring --force --debug --root . --version 0.15.0-alpha.1 trust-dns-server

cargo install --git https://github.com/bluejekyll/trust-dns --force --root . --version 0.3.0-alpha.1 --bin dnskey-to-pem trust-dns-util

https://dyn.manpages.debian.org/testing/bind9utils/dnssec-keygen.8.en.html
-C is private key format v1.2 as needed from dnskey-to-pem, otherwise it would be v1.3.
I am not sure if I should use HOST, USER or OTHER here. This tutorial used HOST.
dnssec-keygen -a RSASHA256 -b 2048 -C -n HOST -T KEY dev.terrax.net

./dnskey-to-pem -o dev.terrax.net.nsupdate.pem Kdev.terrax.net.+008+27979.private

Kdev.terrax.net.+008+27979.key

dev.terrax.net. IN KEY 512 3 8 AwEAAbb52mb/rQZ3pKSJ4Ty7P1iEQI4UZfHW89M6gh13oaCm+MIKd0bb u8gau9gbu3PKZGtHgheCqppblg+A0HHoprb00nxy8xkP5kqUK5hEd4I2 SXRtRsZpO3zR9tDwRqtCmk4MhhZqU0fBa5eDeiy8OhWKiP48Hz3b8l4s R7VmWAkTo7K6721ZTIp7j3jhkFjPikWtqX3jYqTh+pudjThy3QcPkWL3 t/dT3YgOz3e2lIcpe163eGGssC0JB4UH9nVGLTaf3nzdo4t1/fowfQbV cVN23FFkiijvR9nD8PNS0VwynL+Tp7w/ovdRddVbTOxI52r2QKhuHzgK DGkjU633kZU=

Kdev.terrax.net.+008+27979.private

Private-key-format: v1.2
Algorithm: 8 (RSASHA256)
Modulus: ***censored***
PublicExponent: ***censored***
PrivateExponent: ***censored***
Prime1: ***censored***
Prime2: ***censored***
Exponent1: ***censored***
Exponent2: ***censored***
Coefficient: ***censored***

dev.terrax.net.nsupdate.pem

-----BEGIN RSA PRIVATE KEY-----
***censored***
-----END RSA PRIVATE KEY-----

config.toml

listen_addrs_ipv4 = ["127.0.0.1"]
listen_addrs_ipv6 = ["2001:67c:1400:2190::1", "::1"]
listen_port = 8053

[[zones]]
zone = "dev.terrax.net"
zone_type = "Master"
file = "dev.terrax.net.zone"
allow_update = true
enable_dnssec = true

[[zones.keys]]
key_path = "dev.terrax.net.csk.pem"
algorithm = "ECDSAP384SHA384"
is_zone_signing_key = true
is_zone_update_auth = false

[[zones.keys]]
key_path = "dev.terrax.net.nsupdate.pem"
algorithm = "RSASHA256"
is_zone_signing_key = false
is_zone_update_auth = true

update.sh

# debian package: dnsutils
nsupdate -v -k Kdev.terrax.net.+008+27979.private << EOF
server 127.0.0.1 8053
debug yes
zone dev.terrax.net.
update delete dev.terrax.net. MX
update add dev.terrax.net. 600 MX 1 mx.h.terrax.net.
send
EOF

running nsupdate

$ ./update.sh
Sending update to 127.0.0.1#8053
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  37092
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; ZONE SECTION:
;dev.terrax.net.                        IN      SOA

;; UPDATE SECTION:
dev.terrax.net.         0       ANY     MX
dev.terrax.net.         600     IN      MX      1 mx.h.terrax.net.

;; SIG0 PSEUDOSECTION:
.                       0       ANY     SIG     0 8 0 0 20180903020211 20180903015211 27979 dev.terrax.net. Fv94DukqWgirj/5x82y8nwizDR4HnDyTLVLBqkAuS2Dr98ObEnQkDLCt nDNHUznN9EAHATuGdJ2g8kjwz6aCC0u2W0wcGLZO+smU8jIs+K70coOb IuIuzmzd6Vc5Vt5xSSap/MwPY1D0yuE9KOu/TN/KbBICsOfsk1CJmv7p bL8Ua4NDCPGrBx8GzR8YWltohBvAORZq1BQS7+2s2CcFvsKnL9lR2Pdu PyU4vg6aT0YjhAD79bmkdEVC9sSeMV8TLPnUbIGl8AUG9CsL4hIaSVt5 Vw8bhAMRCqXBASPxAdKJ7oTBmJD2/PVS/L6+HpOVPXpxOiv3rIOdiKIP //Fk1g==


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  37092
;; flags: qr; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0

TRust-DNS log

1535939831.780452:DEBUG:trust_dns_server::server::server_future:109:accepted request from: 127.0.0.1:52335
1535939831.783256:DEBUG:trust_dns_proto::tcp::tcp_stream:340:in ReadTcpState::LenBytes: 0
1535939831.783435:DEBUG:trust_dns_proto::tcp::tcp_stream:349:got length: 366
1535939831.783686:DEBUG:trust_dns_proto::tcp::tcp_stream:353:move ReadTcpState::Bytes: 366
1535939831.783869:DEBUG:trust_dns_proto::tcp::tcp_stream:377:in ReadTcpState::Bytes: 366
1535939831.784040:DEBUG:trust_dns_proto::tcp::tcp_stream:384:reset ReadTcpState::LenBytes: 0
1535939831.784174:DEBUG:trust_dns_proto::tcp::tcp_stream:399:returning bytes
1535939831.784293:DEBUG:trust_dns_proto::tcp::tcp_stream:408:returning buffer
1535939831.784498:DEBUG:trust_dns_proto::rr::record_data:446:reading MX
1535939831.784645:DEBUG:trust_dns_proto::rr::dnssec::rdata:494:reading SIG
1535939831.784883:INFO:trust_dns_server::server::server_future:292:request: 37092 type: Query op_code: Update dnssec: false name: dev.terrax.net. type: SOA class: IN
1535939831.785047:DEBUG:trust_dns_server::authority::authority:504:authorizing with: [Record { name_labels: Name { is_fqdn: true, labels: [] }, rr_type: DNSSEC(SIG), dns_class: ANY, ttl: 0, rdata: DNSSEC(SIG(SIG { type_covered: ZERO, algorithm: RSASHA256, num_labels: 0, original_ttl: 0, sig_expiration: 1535940131, sig_inception: 1535939531, key_tag: 27979, signer_name: Name { is_fqdn: true, labels: [dev, terrax, net] }, sig: [22, 255, 120, 14, 233, 42, 90, 8, 171, 143, 254, 113, 243, 108, 188, 159, 8, 179, 13, 30, 7, 156, 60, 147, 45, 82, 193, 170, 64, 46, 75, 96, 235, 247, 195, 155, 18, 116, 36, 12, 176, 173, 156, 51, 71, 83, 57, 205, 244, 64, 7, 1, 59, 134, 116, 157, 160, 242, 72, 240, 207, 166, 130, 11, 75, 182, 91, 76, 28, 24, 182, 78, 250, 201, 148, 242, 50, 44, 248, 174, 244, 114, 131, 155, 34, 226, 46, 206, 108, 221, 233, 87, 57, 86, 222, 113, 73, 38, 169, 252, 204, 15, 99, 80, 244, 202, 225, 61, 40, 235, 191, 76, 223, 202, 108, 18, 2, 176, 231, 236, 147, 80, 137, 154, 254, 233, 108, 191, 20, 107, 131, 67, 8, 241, 171, 7, 31, 6, 205, 31, 24, 90, 91, 104, 132, 27, 192, 57, 22, 106, 212, 20, 18, 239, 237, 172, 216, 39, 5, 190, 194, 167, 47, 217, 81, 216, 247, 110, 63, 37, 56, 190, 14, 154, 79, 70, 35, 132, 0, 251, 245, 185, 164, 116, 69, 66, 246, 196, 158, 49, 95, 19, 44, 249, 212, 108, 129, 165, 240, 5, 6, 244, 43, 11, 226, 18, 26, 73, 91, 121, 87, 15, 27, 132, 3, 17, 10, 165, 193, 1, 35, 241, 1, 210, 137, 238, 132, 193, 152, 144, 246, 252, 245, 82, 252, 190, 190, 30, 147, 149, 61, 122, 113, 58, 43, 247, 172, 131, 157, 136, 162, 15, 255, 241, 100, 214] })) }]
1535939831.785680:DEBUG:trust_dns_server::authority::authority:523:found keys NameExists
1535939831.785808:WARN:trust_dns_server::authority::authority:545:no sig0 matched registered records: id 37092
1535939831.785956:INFO:trust_dns_server::server::response_handler:44:response: 37092 response_code: 5
1535939831.786142:DEBUG:trust_dns_proto::tcp::tcp_stream:293:sending message len: 12 to: 127.0.0.1:52335
1535939831.787653:DEBUG:trust_dns_proto::tcp::tcp_stream:327:zero bytes read, stream closed?

Problems:

The RSA key is not a zone signing key (is_zone_signing_key = false), but both keys sign the zone: http://dnsviz.net/d/dev.terrax.net/W4yK-w/dnssec/
No usable KEY might be found? ("found keys NameExists") github.com/bluejekyll/trust-dns@9d167c7057/server/src/authority/authority.rs (L523)

I found this comment from you on this topic. I would expect that TRust-DNS would internally generate a KEY record based on a configured is_zone_update_auth=true key. (Maybe it does and I did something wrong?) On the other hand I also wasn't able to store above Kdev.terrax.net.+008+27979.key record in the zone file. There seemed to be a parsing problem:
1535939557.345767:ERROR:named:406:could not load zone dev.terrax.net.: error reading zone: "/home/trustdns/dev.terrax.net.zone": proto error

Originally created by @Darkspirit on GitHub (Sep 3, 2018). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/556 https://manpages.debian.org/testing/dnsutils/nsupdate.1.en.html > The -k may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC-MD5 key. ------ `cargo install --git https://github.com/bluejekyll/trust-dns --features dnssec-openssl,dnssec-ring --force --debug --root . --version 0.15.0-alpha.1 trust-dns-server` `cargo install --git https://github.com/bluejekyll/trust-dns --force --root . --version 0.3.0-alpha.1 --bin dnskey-to-pem trust-dns-util` https://dyn.manpages.debian.org/testing/bind9utils/dnssec-keygen.8.en.html -C is private key format v1.2 as needed from dnskey-to-pem, otherwise it would be v1.3. I am not sure if I should use HOST, USER or OTHER here. [This tutorial](https://jpmens.net/2010/12/01/securing-dynamic-dns-updates-ddns-with-sig0/) used HOST. `dnssec-keygen -a RSASHA256 -b 2048 -C -n HOST -T KEY dev.terrax.net` `./dnskey-to-pem -o dev.terrax.net.nsupdate.pem Kdev.terrax.net.+008+27979.private` Kdev.terrax.net.+008+27979.key ``` dev.terrax.net. IN KEY 512 3 8 AwEAAbb52mb/rQZ3pKSJ4Ty7P1iEQI4UZfHW89M6gh13oaCm+MIKd0bb u8gau9gbu3PKZGtHgheCqppblg+A0HHoprb00nxy8xkP5kqUK5hEd4I2 SXRtRsZpO3zR9tDwRqtCmk4MhhZqU0fBa5eDeiy8OhWKiP48Hz3b8l4s R7VmWAkTo7K6721ZTIp7j3jhkFjPikWtqX3jYqTh+pudjThy3QcPkWL3 t/dT3YgOz3e2lIcpe163eGGssC0JB4UH9nVGLTaf3nzdo4t1/fowfQbV cVN23FFkiijvR9nD8PNS0VwynL+Tp7w/ovdRddVbTOxI52r2QKhuHzgK DGkjU633kZU= ``` Kdev.terrax.net.+008+27979.private ``` Private-key-format: v1.2 Algorithm: 8 (RSASHA256) Modulus: ***censored*** PublicExponent: ***censored*** PrivateExponent: ***censored*** Prime1: ***censored*** Prime2: ***censored*** Exponent1: ***censored*** Exponent2: ***censored*** Coefficient: ***censored*** ``` dev.terrax.net.nsupdate.pem ``` -----BEGIN RSA PRIVATE KEY----- ***censored*** -----END RSA PRIVATE KEY----- ``` config.toml ``` listen_addrs_ipv4 = ["127.0.0.1"] listen_addrs_ipv6 = ["2001:67c:1400:2190::1", "::1"] listen_port = 8053 [[zones]] zone = "dev.terrax.net" zone_type = "Master" file = "dev.terrax.net.zone" allow_update = true enable_dnssec = true [[zones.keys]] key_path = "dev.terrax.net.csk.pem" algorithm = "ECDSAP384SHA384" is_zone_signing_key = true is_zone_update_auth = false [[zones.keys]] key_path = "dev.terrax.net.nsupdate.pem" algorithm = "RSASHA256" is_zone_signing_key = false is_zone_update_auth = true ``` update.sh ``` # debian package: dnsutils nsupdate -v -k Kdev.terrax.net.+008+27979.private << EOF server 127.0.0.1 8053 debug yes zone dev.terrax.net. update delete dev.terrax.net. MX update add dev.terrax.net. 600 MX 1 mx.h.terrax.net. send EOF ``` running nsupdate ``` $ ./update.sh Sending update to 127.0.0.1#8053 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 37092 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1 ;; ZONE SECTION: ;dev.terrax.net. IN SOA ;; UPDATE SECTION: dev.terrax.net. 0 ANY MX dev.terrax.net. 600 IN MX 1 mx.h.terrax.net. ;; SIG0 PSEUDOSECTION: . 0 ANY SIG 0 8 0 0 20180903020211 20180903015211 27979 dev.terrax.net. Fv94DukqWgirj/5x82y8nwizDR4HnDyTLVLBqkAuS2Dr98ObEnQkDLCt nDNHUznN9EAHATuGdJ2g8kjwz6aCC0u2W0wcGLZO+smU8jIs+K70coOb IuIuzmzd6Vc5Vt5xSSap/MwPY1D0yuE9KOu/TN/KbBICsOfsk1CJmv7p bL8Ua4NDCPGrBx8GzR8YWltohBvAORZq1BQS7+2s2CcFvsKnL9lR2Pdu PyU4vg6aT0YjhAD79bmkdEVC9sSeMV8TLPnUbIGl8AUG9CsL4hIaSVt5 Vw8bhAMRCqXBASPxAdKJ7oTBmJD2/PVS/L6+HpOVPXpxOiv3rIOdiKIP //Fk1g== Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 37092 ;; flags: qr; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ``` TRust-DNS log ``` 1535939831.780452:DEBUG:trust_dns_server::server::server_future:109:accepted request from: 127.0.0.1:52335 1535939831.783256:DEBUG:trust_dns_proto::tcp::tcp_stream:340:in ReadTcpState::LenBytes: 0 1535939831.783435:DEBUG:trust_dns_proto::tcp::tcp_stream:349:got length: 366 1535939831.783686:DEBUG:trust_dns_proto::tcp::tcp_stream:353:move ReadTcpState::Bytes: 366 1535939831.783869:DEBUG:trust_dns_proto::tcp::tcp_stream:377:in ReadTcpState::Bytes: 366 1535939831.784040:DEBUG:trust_dns_proto::tcp::tcp_stream:384:reset ReadTcpState::LenBytes: 0 1535939831.784174:DEBUG:trust_dns_proto::tcp::tcp_stream:399:returning bytes 1535939831.784293:DEBUG:trust_dns_proto::tcp::tcp_stream:408:returning buffer 1535939831.784498:DEBUG:trust_dns_proto::rr::record_data:446:reading MX 1535939831.784645:DEBUG:trust_dns_proto::rr::dnssec::rdata:494:reading SIG 1535939831.784883:INFO:trust_dns_server::server::server_future:292:request: 37092 type: Query op_code: Update dnssec: false name: dev.terrax.net. type: SOA class: IN 1535939831.785047:DEBUG:trust_dns_server::authority::authority:504:authorizing with: [Record { name_labels: Name { is_fqdn: true, labels: [] }, rr_type: DNSSEC(SIG), dns_class: ANY, ttl: 0, rdata: DNSSEC(SIG(SIG { type_covered: ZERO, algorithm: RSASHA256, num_labels: 0, original_ttl: 0, sig_expiration: 1535940131, sig_inception: 1535939531, key_tag: 27979, signer_name: Name { is_fqdn: true, labels: [dev, terrax, net] }, sig: [22, 255, 120, 14, 233, 42, 90, 8, 171, 143, 254, 113, 243, 108, 188, 159, 8, 179, 13, 30, 7, 156, 60, 147, 45, 82, 193, 170, 64, 46, 75, 96, 235, 247, 195, 155, 18, 116, 36, 12, 176, 173, 156, 51, 71, 83, 57, 205, 244, 64, 7, 1, 59, 134, 116, 157, 160, 242, 72, 240, 207, 166, 130, 11, 75, 182, 91, 76, 28, 24, 182, 78, 250, 201, 148, 242, 50, 44, 248, 174, 244, 114, 131, 155, 34, 226, 46, 206, 108, 221, 233, 87, 57, 86, 222, 113, 73, 38, 169, 252, 204, 15, 99, 80, 244, 202, 225, 61, 40, 235, 191, 76, 223, 202, 108, 18, 2, 176, 231, 236, 147, 80, 137, 154, 254, 233, 108, 191, 20, 107, 131, 67, 8, 241, 171, 7, 31, 6, 205, 31, 24, 90, 91, 104, 132, 27, 192, 57, 22, 106, 212, 20, 18, 239, 237, 172, 216, 39, 5, 190, 194, 167, 47, 217, 81, 216, 247, 110, 63, 37, 56, 190, 14, 154, 79, 70, 35, 132, 0, 251, 245, 185, 164, 116, 69, 66, 246, 196, 158, 49, 95, 19, 44, 249, 212, 108, 129, 165, 240, 5, 6, 244, 43, 11, 226, 18, 26, 73, 91, 121, 87, 15, 27, 132, 3, 17, 10, 165, 193, 1, 35, 241, 1, 210, 137, 238, 132, 193, 152, 144, 246, 252, 245, 82, 252, 190, 190, 30, 147, 149, 61, 122, 113, 58, 43, 247, 172, 131, 157, 136, 162, 15, 255, 241, 100, 214] })) }] 1535939831.785680:DEBUG:trust_dns_server::authority::authority:523:found keys NameExists 1535939831.785808:WARN:trust_dns_server::authority::authority:545:no sig0 matched registered records: id 37092 1535939831.785956:INFO:trust_dns_server::server::response_handler:44:response: 37092 response_code: 5 1535939831.786142:DEBUG:trust_dns_proto::tcp::tcp_stream:293:sending message len: 12 to: 127.0.0.1:52335 1535939831.787653:DEBUG:trust_dns_proto::tcp::tcp_stream:327:zero bytes read, stream closed? ``` Problems: 1. The RSA key is not a zone signing key (is_zone_signing_key = false), but both keys sign the zone: http://dnsviz.net/d/dev.terrax.net/W4yK-w/dnssec/ 2. No usable KEY might be found? ("found keys NameExists") https://github.com/bluejekyll/trust-dns/blob/9d167c7057fc150f8bc12c4bd378a438f4d45d7a/server/src/authority/authority.rs#L523 I found [this comment](https://github.com/bluejekyll/trust-dns/pull/119#issuecomment-296783951) from you on this topic. I would expect that TRust-DNS would internally generate a KEY record based on a configured is_zone_update_auth=true key. (Maybe it does and I did something wrong?) On the other hand I also wasn't able to store above Kdev.terrax.net.+008+27979.key record in the zone file. There seemed to be a parsing problem: `1535939557.345767:ERROR:named:406:could not load zone dev.terrax.net.: error reading zone: "/home/trustdns/dev.terrax.net.zone": proto error`

kerem

2026-03-15 22:59:50 +03:00

closed this issue
added the
crate:server

ops

docs
labels

kerem commented

2026-03-15 23:00:06 +03:00

Author

Owner

@bluejekyll commented on GitHub (Sep 5, 2018):

Thank you for this wonderful exploration! I think there is definitely some better tooling needed here.

The RSA key is not a zone signing key (is_zone_signing_key = false), but both keys sign the zone

this sounds like a bug, we should file a separate issue.

No usable KEY might be found? ("found keys NameExists")

Hm, I think we need better validation tools to make sure this is setup correctly.

I would expect that TRust-DNS would internally generate a KEY record based on a configured is_zone_update_auth=true key.

I think we may have changed the way some of this works, and I definitely want to revisit this. I'm not 100% happy with the authz story for this at the moment. We also clearly need more utilities that help validate certain things, like testing if a key can be used for different things and is compatible. I'm hoping to get back to some of this soon.

Would you want to perhaps give an ideal set of tools that would make this easier for you?

For now, the best example I have for dns-sec && dynamic updates is this: https://github.com/bluejekyll/trust-dns/blob/master/server/tests/named_test_configs/dnssec_with_update.toml

Which is currently validated with this test: https://github.com/bluejekyll/trust-dns/blob/master/server/tests/z_named_test_rsa_dnssec.rs#L180

@bluejekyll commented on GitHub (Sep 5, 2018): Thank you for this wonderful exploration! I think there is definitely some better tooling needed here. > The RSA key is not a zone signing key (is_zone_signing_key = false), but both keys sign the zone this sounds like a bug, we should file a separate issue. > No usable KEY might be found? ("found keys NameExists") Hm, I think we need better validation tools to make sure this is setup correctly. > I would expect that TRust-DNS would internally generate a KEY record based on a configured is_zone_update_auth=true key. I think we may have changed the way some of this works, and I definitely want to revisit this. I'm not 100% happy with the authz story for this at the moment. We also clearly need more utilities that help validate certain things, like testing if a key can be used for different things and is compatible. I'm hoping to get back to some of this soon. Would you want to perhaps give an ideal set of tools that would make this easier for you? For now, the best example I have for dns-sec && dynamic updates is this: https://github.com/bluejekyll/trust-dns/blob/master/server/tests/named_test_configs/dnssec_with_update.toml Which is currently validated with this test: https://github.com/bluejekyll/trust-dns/blob/master/server/tests/z_named_test_rsa_dnssec.rs#L180

kerem commented

2026-03-15 23:00:11 +03:00

Author

Owner

@Darkspirit commented on GitHub (Feb 6, 2019):

Background: I - as a total beginner - would like to write a small acme lib / tool that

generates key, CSR and TLSA record without openssl by using bcder and ring (done and working)
should create acme-challenge and TLSA records on a Trust-DNS server via sig0 with ed25519 (works with manual fix from below),
should warn if no CAA 0 issue "letsencrypt.org; validationmethods=dns-01" is present,
should talk acme v2 via reqwest with rustls (preferably solely with Let's Encrypt as trust anchor),
should take care of renewal with some overlapping time because of TLSA.

Sig0 works if I change github.com/bluejekyll/trust-dns@9567c3d5f7/crates/server/src/named.rs (L158-L171) to

for key_config in zone_config.get_keys() {
    info!(
        "adding key to zone: {:?}, is_zsk: {}, is_auth: {}",
        key_config.key_path(),
        key_config.is_zone_signing_key(),
        key_config.is_zone_update_auth()
    );
    if key_config.is_zone_signing_key() {
        let zone_signer = key_config.try_into_signer(zone_name.clone()).map_err(|e| {
            format!("failed to load key: {:?} msg: {}", key_config.key_path(), e)
        })?;
        authority
            .add_zone_signing_key(zone_signer)
            .expect("failed to add signing key to authority");
    }
    if key_config.is_zone_update_auth() {
        // sorry, but signer.clone() was not possible
        let update_auth_signer = key_config.try_into_signer(zone_name.clone()).map_err(|e| {
            format!("failed to load key: {:?} msg: {}", key_config.key_path(), e)
        })?;
        authority
            .add_update_auth_key(
                zone_name.clone(),
                update_auth_signer.key().to_sig0key(update_auth_signer.algorithm()).unwrap()
            )
            .expect("failed to add update auth key to authority");
    }
}

Would you consider this as a valid fix?

@Darkspirit commented on GitHub (Feb 6, 2019): Background: I - as a total beginner - would like to write a small acme lib / tool that * generates key, CSR and TLSA record without openssl by using [bcder](https://github.com/NLnetLabs/bcder) and ring (done and working) * should create acme-challenge and TLSA records on a Trust-DNS server via [sig0](https://docs.rs/trust-dns/0.16.0-alpha.2/trust_dns/index.html#dynamic-update) with ed25519 (works with manual fix from below), * should warn if no `CAA 0 issue "letsencrypt.org; validationmethods=dns-01"` is present, * should talk acme v2 via reqwest with rustls (preferably solely with Let's Encrypt as trust anchor), * should take care of renewal with some overlapping time because of TLSA. Sig0 works if I change https://github.com/bluejekyll/trust-dns/blob/9567c3d5f79f4a9d2351aa510af6d83475d31c84/crates/server/src/named.rs#L158-L171 to ```rust for key_config in zone_config.get_keys() { info!( "adding key to zone: {:?}, is_zsk: {}, is_auth: {}", key_config.key_path(), key_config.is_zone_signing_key(), key_config.is_zone_update_auth() ); if key_config.is_zone_signing_key() { let zone_signer = key_config.try_into_signer(zone_name.clone()).map_err(|e| { format!("failed to load key: {:?} msg: {}", key_config.key_path(), e) })?; authority .add_zone_signing_key(zone_signer) .expect("failed to add signing key to authority"); } if key_config.is_zone_update_auth() { // sorry, but signer.clone() was not possible let update_auth_signer = key_config.try_into_signer(zone_name.clone()).map_err(|e| { format!("failed to load key: {:?} msg: {}", key_config.key_path(), e) })?; authority .add_update_auth_key( zone_name.clone(), update_auth_signer.key().to_sig0key(update_auth_signer.algorithm()).unwrap() ) .expect("failed to add update auth key to authority"); } } ``` Would you consider this as a valid fix?

kerem commented

2026-03-15 23:00:16 +03:00

Author

Owner

@bluejekyll commented on GitHub (Feb 6, 2019):

yes, this looks like a good fix, I'll leave comments in the PR.

@bluejekyll commented on GitHub (Feb 6, 2019): yes, this looks like a good fix, I'll leave comments in the PR.

kerem referenced this issue

2026-03-16 02:09:45 +03:00

[PR #534] [MERGED] Implement serialize/deserialize for LowerName #1499