Hi everyone,

I would like to use SIG(0) as mechanism to publish certificates into my DNS
server of secure way using DNS dynamic update (note: I'm using the last
version of BIND, 9.3.0). For this, I create a new DNS message and generate
the SIG(0) transaction signature which it is added to the message.

The request I send to the DNS server is the following:

;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 63187
;; flags: ; qd: 1 an: 0 au: 1 ad: 1
;; ZONE:
;; dnssec.zone.org., type = SOA, class = IN

;; PREREQUISITES:
;; UPDATE RECORDS:
testsig0.dnssec.zone.org. 3600 IN CERT 1 378 1
;; ADDITIONAL RECORDS:
.. 0 ANY SIG TYPE0 1 1 0 20041230190407 20041230185907 58596 dnssec.zone.org.


The request is generated and sent successfully but I obtain a SERVFAIL from
the server:

;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id: 63187
;; flags: qr ; qd: 0 an: 0 au: 0 ad: 0
;; ZONE:
;; PREREQUISITES:
;; UPDATE RECORDS:
;; ADDITIONAL RECORDS:

Reviewing the log files the server returns the following error: < has invalid signature: not verified yet (NOERROR)>>.

Is BIND qualified to verify SIG(0) signatures?? Doing the same process but
using TSIG, DNS server verifies the signatures perfectly.

Thanks... and regards,

------
Manuel Gil Pérez