Significance of "verify failure" message in dnssec validation

[ishtiaq ashiq]

Hi,

While trying to validate some DNSSEC records, I'm getting some validation errors labelled as "verify failure". By having a peek at the code, I guessed it should be thrown when the signature is wrong.

     # nothing verified -- raise failure:

     raise ValidationFailure('verify failure')

The other error messages are quite self-explanatory like "invalid public key' or "expired" but with this one, I'm not fully sure.

Can anyone confirm whether this means "bogus signature" or does this signify anything else?

Thanks,

Md. Ishtiaq Ashiq

[Bob Halley]

A RRSIG set can, in general, contain multiple signatures made against multiple keys.  Failing to verify a signature set means you tried to verify each signature in the set, and each attempt failed.  In general, there is not a single reason for the set verification to fail.  Maybe the first signature was by an unknown key, the second used an unsupported algorithm, the third was out-of-date, and the fourth failed because the signature didn't match.  So really, there's a story associated with each failure.  We don't currently have a way to return the story, so we summarize it as ValidationFailure('verify failure'), i.e. "we tried everything and nothing worked".

Your open issue, #631, is where we're tracking coming up with a way to return the story.

In the meantime, you can get more detail by stepping through validate() with a debugger, or by copying the source to _validate() into your program and printing the error in the except (ValidationFailure, UnsupportedAlgorithm) clause.

[Bob Halley]

I should add that even a single signature verification with validate_rrsig() can still  be a summarized story, because it's possible that there are multiple keys with the same tag and algorithm.  It could be that one key isn't a valid public key when we try to process it, or that the expected signature didn't match what we computed.

[ishtiaq ashiq]

Thanks for your answer. If I understand correctly, this is the summary of what you said.

1. "No RRSIGs validated" is the summarized story when I am trying to validate an RRset with an RRSIGset where no RRSIG matches the RRset.

2. "verify failure" is the summarized story when I am trying to validate an RRset with a single RRSIG but it doesn't match the RRset.

My question is the validate_rrsig() method covers pretty much every possible exception except the invalid signature one. By invalid signature, I mean, let's say everything is correct (i.e. key is not expired, it's valid public key) but the signature is invalid (hash of the decrypted signature does not match the hash of the RRset). I saw one InvalidSignature exception which did not return anything. So, what will be the message returned from this validate_rrsig() method in case of an invalid signature?

[Bob Halley]

Re 1 and 2, basically yes.  ("Basically" because it's important that "no match" be understood to cover ALL the reasons why there was no match, including all the cases where we couldn't even compute something to try to match against because we didn't know the key, didn't know the algorithm, the key was bad, etc.)

validate_rrsig() does handle the InvalidSignature case as well.  If you look at the code, you will see it catches it.  The key tag is only 16 bits, so it is possible in a "double-signature" rollover scenario that you could have two different keys with the same signer name, algorithm, and key tag.  (This can actually happen in the real world, though it is rare.)  That means there can be more than one "candidate key", and we need to check all of the candidates in a loop, catching exceptions.  We only know verification failed after we tried everything.  So again you get the "summary" answer, even though most of the time there's only one candidate key.

[ishtiaq ashiq]

Again, thanks for the answer. Just a couple of follow-up questions.

1. If there are multiple candidate keys, you're raising a validation failure if one has an invalid public key or unsupported algorithm. But continuing on to check other keys in case of an invalid signature. Shouldn't you then continue with these errors ( invalid public key, unsupported algorithm, etc.) as well, wait for all the candidate keys, and then raise verify failure message at the end?

2. Multiple candidate keys should be a very very rare event given that the public key contains the key tag, right? So, with the current code, if I am not wrong, in most of the cases, "verify failure" should mean invalid signature (as the other exceptions are being generated right away as mentioned in 1). Am I right?

Thanks.

[Bob Halley]

Re 1. The code already works as you suggest it should; if a problem with a candidate key happens, the exception is caught and other candidate keys are considered.  Only if all candidate keys fail is "verify failure" raised.

Re 2. Yes, "verify failure" from validate_rrsig() is likely to be caused by InvalidSignature.  But it is not certain in the general case, hence my calling it a "story summary".

[ishtiaq ashiq]

Re 1. The code already works as you suggest it should; if a problem with a candidate key happens, the exception is caught and other candidate keys are considered.  Only if all candidate keys fail is "verify failure" raised.

But ValidationFailure is being raised rather than continuing on for the other candidate keys whenever an exception is encountered except the InvalidSignature case. For example, I have attached a screenshot of the code snippet for the "invalid public key" case, where the code should move to the _validate method if the ValueError is encountered and try for the remaining RRSIGs rather than trying for the remaining candidate keys. 

Am I missing something? Would be grateful if you could clarify this. Thanks.

[ishtiaq ashiq]

Oh, never mind. Seems like this was a bug and it's fixed in the new update.

On Fri, Apr 30, 2021 at 2:27 AM ishtiaq ashiq <ishtia...@gmail.com> wrote:

Re 1. The code already works as you suggest it should; if a problem with a candidate key happens, the exception is caught and other candidate keys are considered.  Only if all candidate keys fail is "verify failure" raised.

But ValidationFailure is being raised rather than continuing on for the other candidate keys whenever an exception is encountered except the InvalidSignature case. For example, I have attached a screenshot of the code snippet for the "invalid public key" case, where the code should move to the _validate method if the ValueError is encountered and try for the remaining RRSIGs rather than trying for the remaining candidate keys. 

Am I missing something? Would be grateful if you could clarify this. Thanks.

On Sunday, March 14, 2021 at 1:26:45 PM UTC-4 dnsp...@gmail.com wrote:

Re 1. The code already works as you suggest it should; if a problem with a candidate key happens, the exception is caught and other candidate keys are considered.  Only if all candidate keys fail is "verify failure" raised.

Re 2. Yes, "verify failure" from validate_rrsig() is likely to be caused by InvalidSignature.  But it is not certain in the general case, hence my calling it a "story summary".

On Thursday, March 11, 2021 at 2:03:08 PM UTC-8 ishtia...@gmail.com wrote:

Again, thanks for the answer. Just a couple of follow-up questions.

1. If there are multiple candidate keys, you're raising a validation failure if one has an invalid public key or unsupported algorithm. But continuing on to check other keys in case of an invalid signature. Shouldn't you then continue with these errors ( invalid public key, unsupported algorithm, etc.) as well, wait for all the candidate keys, and then raise verify failure message at the end?

2. Multiple candidate keys should be a very very rare event given that the public key contains the key tag, right? So, with the current code, if I am not wrong, in most of the cases, "verify failure" should mean invalid signature (as the other exceptions are being generated right away as mentioned in 1). Am I right?

Thanks.

On Sunday, March 7, 2021 at 6:33:19 PM UTC-5 dnsp...@gmail.com wrote:

Re 1 and 2, basically yes.  ("Basically" because it's important that "no match" be understood to cover ALL the reasons why there was no match, including all the cases where we couldn't even compute something to try to match against because we didn't know the key, didn't know the algorithm, the key was bad, etc.)

validate_rrsig() does handle the InvalidSignature case as well.  If you look at the code, you will see it catches it.  The key tag is only 16 bits, so it is possible in a "double-signature" rollover scenario that you could have two different keys with the same signer name, algorithm, and key tag.  (This can actually happen in the real world, though it is rare.)  That means there can be more than one "candidate key", and we need to check all of the candidates in a loop, catching exceptions.  We only know verification failed after we tried everything.  So again you get the "summary" answer, even though most of the time there's only one candidate key.

On Saturday, March 6, 2021 at 6:32:50 AM UTC-8 ishtia...@gmail.com wrote:

Thanks for your answer. If I understand correctly, this is the summary of what you said.

1. "No RRSIGs validated" is the summarized story when I am trying to validate an RRset with an RRSIGset where no RRSIG matches the RRset.

2. "verify failure" is the summarized story when I am trying to validate an RRset with a single RRSIG but it doesn't match the RRset.

My question is the validate_rrsig() method covers pretty much every possible exception except the invalid signature one. By invalid signature, I mean, let's say everything is correct (i.e. key is not expired, it's valid public key) but the signature is invalid (hash of the decrypted signature does not match the hash of the RRset). I saw one InvalidSignature exception which did not return anything. So, what will be the message returned from this validate_rrsig() method in case of an invalid signature?

On Wednesday, March 3, 2021 at 9:55:41 AM UTC-5 dnsp...@gmail.com wrote:

I should add that even a single signature verification with validate_rrsig() can still  be a summarized story, because it's possible that there are multiple keys with the same tag and algorithm.  It could be that one key isn't a valid public key when we try to process it, or that the expected signature didn't match what we computed.

--
You received this message because you are subscribed to a topic in the Google Groups "dnspython-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dnspython-users/JSLNUSqwHWc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dnspython-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dnspython-users/3ebc0dc1-de44-4fb3-9cfa-fc1e36171a12n%40googlegroups.com.