<div dir="ltr">Hello Willem,<div><br></div><div>In my opinion this one should end up with non zero status. And why should signature chasing behavior differ from simple query which fails signature validation? Maybe I'm misunderstanding the purpose of the chase functionality.</div><div>Thanks,</div><div><br></div><div>Emil</div><div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 14, 2017 at 5:04 PM, Willem Toorop <span dir="ltr"><<a href="mailto:willem@nlnetlabs.nl" target="_blank">willem@nlnetlabs.nl</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Op 14-03-17 om 15:41 schreef Emil Natan:<br>
> Hello,<br>
><br>
> I have domain <a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">testdom5.isoc-il.net</a> <<a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">http://testdom5.isoc-il.net</a>><br>
<span class="">> deliberately signed with signatures end time in the past.<br>
><br>
</span>> "drill dnskey <a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">testdom5.isoc-il.net</a> <<a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">http://testdom5.isoc-il.net</a>>" as<br>
<span class="">> expected fails with SERVFAIL<br>
><br>
> Chasing the signature for that record though succeeds.<br>
> It says "|---DNSSEC signature has expired" on the way, but I was<br>
> expecting the result to be Chase Failed and non zero exit code.<br>
><br>
> Do you consider that a bug or is that the expected behavior? Thanks.<br>
<br>
</span>Hello Emil,<br>
<br>
Neither yet.  How would you (or the list) consider this behaviour?<br>
Should chasing perform the chase and then exit non zero when there was a<br>
bogus RR on the path, like tracing does?<br>
<br>
-- Willem<br>
<br>
><br>
> drill -S dnskey  <a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">testdom5.isoc-il.net</a> <<a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">http://testdom5.isoc-il.net</a>><br>
<span class="">> ;; Number of trusted keys: 1<br>
</span>> ;; Chasing: <a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">testdom5.isoc-il.net</a> <<a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">http://testdom5.isoc-il.net</a>>. DNSKEY<br>
><br>
><br>
> DNSSEC Trust tree:<br>
> <a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">testdom5.isoc-il.net</a> <<a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">http://testdom5.isoc-il.net</a>>. (DNSKEY)<br>
> |---DNSSEC signature has expired:<br>
> <a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">testdom5.isoc-il.net</a> <<a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">http://testdom5.isoc-il.net</a>>.   86215   IN<br>
<span class="">>  RRSIG   DNSKEY 8 3 86400 20170310000000 20170210000000 29401<br>
</span>> <a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">testdom5.isoc-il.net</a> <<a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">http://testdom5.isoc-il.net</a>>.<br>
> GG2ukpUxPwhOp3Yb0rIRhtQvqsF+<wbr>pZ/<wbr>cIFTveHJwIaDx6GP7dxbyQ9bv1p8Oj<wbr>r/3m/tuJgfVq2RwA2+<wbr>ndDXQxfqnsvi5Nigw6u/<wbr>LVwqDFVgstxyGDHdJPuriqJjn6IYQI<wbr>saSkW52ib9M3Rrd5MptimORTlN6lLA<wbr>POgWDDHU6180/<wbr>VJhwrq8e2MXQeWLier7tdtuolXw7mx<wbr>RlChpRkV7XWHHbm5KFyS6rGlQooKEl<wbr>hLy/TBRRgK793jTpRN/<wbr>hYFj3BjgiF9VguMuwkISPNSmuBl0dz<wbr>ghiUFD1QHnALocNC5IxI19QSpdP0ny<wbr>0rIkNJ/RzKIMHyOlTqnjNzu/qpeJ+<wbr>rw==<br>
> For RRset:<br>
> <a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">testdom5.isoc-il.net</a> <<a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">http://testdom5.isoc-il.net</a>>.   86215   IN<br>
<span class="">>  DNSKEY  256 3 8<br>
> AwEAAaUDJHIJaCsatG03KN1urponSD<wbr>CPJ/<wbr>AA1ONXGm1NOMzTodDrKCfzm3sFLSh0<wbr>tQB1v314WoxOA3A+<wbr>xJtYjRAhU9NGn7ruPrR8EcXYwzYuLp<wbr>XEMWmWobKCXKHss4QYAnpyma+<wbr>wn89NBpEV976P8OX265geJdnIulDvR<wbr>K1SNkE5cPHcraklS6JWzOp4RIhTy7w<wbr>NUG7peFiVz1Vp7OVAvb25EtXjS2wAF<wbr>NitSpzBhAPcZ/<wbr>2uqLDdIfE7ieUkFDrs22nfIa1RVU2D<wbr>XzN7iWmpGBwnwbFEtTwSzhzWB6U/<wbr>uMEHuJ2exUlOOLg3BQ6FTy6kfsZzSy<wbr>GFDs5tuZSS1XO8ugqLK1U=<br>
> ;{id = 18888 (zsk), size = 2048b}<br>
</span>> <a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">testdom5.isoc-il.net</a> <<a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">http://testdom5.isoc-il.net</a>>.   86215   IN<br>
<span class="">>  DNSKEY  257 3 8<br>
> AwEAAa+<wbr>orr5ooEvpwgicZngvULwkDA1luUDrG<wbr>wKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+<wbr>V0WPkZ074W6DLOGJp9RDIwOCfXhm9a<wbr>Su2FadG/eqwrVf+<wbr>CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0<wbr>XJDWHvYnIYVr8f7Nazb1k2OqWW5X8Q<wbr>tV7FDrW1fn85BYafVY2TXt3fYlcUzd<wbr>tisv8/<wbr>o5ce4ctmidTlXFPqNT63yyASKZiZiV<wbr>6nbdQToMQtjnxvTT12fTv4zoeKz0W8<wbr>KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4<wbr>uoyI5AeUF9fIllM9LPEQvG035/<wbr>y0zkwJPZgs9DU183Sdve6P2s=<br>
> ;{id = 29401 (ksk), size = 2048b}<br>
> With key:<br>
</span>> <a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">testdom5.isoc-il.net</a> <<a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">http://testdom5.isoc-il.net</a>>.   86215   IN<br>
<span class="">>  DNSKEY  257 3 8<br>
> AwEAAa+<wbr>orr5ooEvpwgicZngvULwkDA1luUDrG<wbr>wKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+<wbr>V0WPkZ074W6DLOGJp9RDIwOCfXhm9a<wbr>Su2FadG/eqwrVf+<wbr>CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0<wbr>XJDWHvYnIYVr8f7Nazb1k2OqWW5X8Q<wbr>tV7FDrW1fn85BYafVY2TXt3fYlcUzd<wbr>tisv8/<wbr>o5ce4ctmidTlXFPqNT63yyASKZiZiV<wbr>6nbdQToMQtjnxvTT12fTv4zoeKz0W8<wbr>KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4<wbr>uoyI5AeUF9fIllM9LPEQvG035/<wbr>y0zkwJPZgs9DU183Sdve6P2s=<br>
> ;{id = 29401 (ksk), size = 2048b}<br>
</span>> |---<a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">testdom5.isoc-il.net</a> <<a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">http://testdom5.isoc-il.net</a>>. (DNSKEY keytag:<br>
<span class="">> 29401 alg: 8 flags: 257)<br>
</span>> |---<a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">testdom5.isoc-il.net</a> <<a href="http://testdom5.isoc-il.net" rel="noreferrer" target="_blank">http://testdom5.isoc-il.net</a>>. (DS keytag:<br>
> 29401 digest type: 2)<br>
>     |---<a href="http://isoc-il.net" rel="noreferrer" target="_blank">isoc-il.net</a> <<a href="http://isoc-il.net" rel="noreferrer" target="_blank">http://isoc-il.net</a>>. (DNSKEY keytag: 36456 alg: 8<br>
> flags: 256)<br>
>         |---<a href="http://isoc-il.net" rel="noreferrer" target="_blank">isoc-il.net</a> <<a href="http://isoc-il.net" rel="noreferrer" target="_blank">http://isoc-il.net</a>>. (DNSKEY keytag: 33769 alg:<br>
> 8 flags: 257)<br>
>         |---<a href="http://isoc-il.net" rel="noreferrer" target="_blank">isoc-il.net</a> <<a href="http://isoc-il.net" rel="noreferrer" target="_blank">http://isoc-il.net</a>>. (DS keytag: 33769 digest<br>
<span class="">> type: 2)<br>
>             |---net. (DNSKEY keytag: 16757 alg: 8 flags: 256)<br>
>                 |---net. (DNSKEY keytag: 35886 alg: 8 flags: 257)<br>
>                 |---net. (DS keytag: 35886 digest type: 2)<br>
>                     |---. (DNSKEY keytag: 61045 alg: 8 flags: 256)<br>
>                         |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)<br>
> ;; Chase successful<br>
><br>
> Emil<br>
><br>
><br>
</span>> ______________________________<wbr>_________________<br>
> ldns-users mailing list<br>
> <a href="mailto:ldns-users@nlnetlabs.nl">ldns-users@nlnetlabs.nl</a><br>
> <a href="https://open.nlnetlabs.nl/mailman/listinfo/ldns-users" rel="noreferrer" target="_blank">https://open.nlnetlabs.nl/<wbr>mailman/listinfo/ldns-users</a><br>
><br>
<br>
______________________________<wbr>_________________<br>
ldns-users mailing list<br>
<a href="mailto:ldns-users@nlnetlabs.nl">ldns-users@nlnetlabs.nl</a><br>
<a href="https://open.nlnetlabs.nl/mailman/listinfo/ldns-users" rel="noreferrer" target="_blank">https://open.nlnetlabs.nl/<wbr>mailman/listinfo/ldns-users</a><br>
</blockquote></div><br></div></div></div>