[ldns-users] drill question

[bert hubert]

Hi everybody,

Please forgive this DNSSEC 'noob' :-) Also, many thanks for writing 'drill',
it is one of the only tools I've found to validate DNSSEC signatures from
the command line.

However, all is not well. Can you tell me what is wrong with the following:

$ drill -D dnssec.se dnskey  @secondary.se | grep DNSKEY | grep "12066 (zsk" > dnskey.dnssec.se
$ drill -k ./dnskey.dnssec.se -D dnssec.se @secondary.se
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 25670
;; flags: qr aa rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0 
;; QUESTION SECTION:
;; dnssec.se.	IN	A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
dnssec.se.	300	IN	SOA	ns.dnssec.se. jakob.kirei.se. 1246322701 3600 600 86400 300
dnssec.se.	300	IN	RRSIG	SOA 5 2 300 20090709234501 20090629234501 12066 dnssec.se. NlKm3FJehDDCOKtZUxlOCqMfCSa4wrknW6/BU0lE/wkAj29XqYp6qe7odJL6qEcFTYN5alqYLm2+nGVhBu7V29bNHq1/GshICNU/pBaDkk5OGBybE7pQphgU7sL7qnGU32P1fTj6pGlerQ84OGEfvpDcmHBL+cPtLtYGEt3TP4Y= ;{id = 12066}
dnssec.se.	300	IN	NSEC	_adsp._domainkey.dnssec.se. NS SOA TXT RRSIG NSEC DNSKEY TYPE99 
dnssec.se.	300	IN	RRSIG	NSEC 5 2 300 20090709234501 20090629234501 12066 dnssec.se. OC3mkDJ/gjZVRCpbTBhv0Z+vLT47pXoKa39vRyXJ592EnaYTAcJbge74NN1hgXDE9CxrJuYfEes5wdzzLsCwGjnffVtGbcpCxZbElWFZhe1f0hrLbeKV14RLpUN0yIYIO6rcNvds8veovX/N6/OIXx3mHC2elcAwBSOkpUf7rn8= ;{id = 12066}

;; ADDITIONAL SECTION:

;; Query time: 53 msec
;; EDNS: version 0; flags: ; udp: 4096
;; SERVER: 81.93.140.75
;; WHEN: Fri Jul  3 22:36:03 2009
;; MSG SIZE  rcvd: 491
; result = 11
BOGUS by id = 12066, owner = dnssec.se.

This is with 'drill' as contained in ldns-1.5.1. It does appear that
dnssec.se is signed correctly, and my own 'pdnsdig' tool verifies it
correctly too. 

But I really want to be able to verify signatures using another tool!

Can you tell me what I am doing wrong?

Thanks!

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services