[ldns-users] drill question
Jelte Jansen
jelte at NLnetLabs.nl
Fri Jul 3 22:58:54 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
bert hubert wrote:
> Hi everybody,
>
> BOGUS by id = 12066, owner = dnssec.se.
>
> This is with 'drill' as contained in ldns-1.5.1. It does appear that
> dnssec.se is signed correctly, and my own 'pdnsdig' tool verifies it
> correctly too.
>
> But I really want to be able to verify signatures using another tool!
>
> Can you tell me what I am doing wrong?
>
You're doing nothing wrong, in fact, you have discovered not one, but two bugs
in the way drill verifies single packets :/
The chase mode, where drill tries to be a little bit smarter, and actually
queries for more information, should work though;
- --------------
jelte at dragon:/tmp> drill -k dnskey.dnssec.se -S dnssec.se @secondary.se
;; Chasing: dnssec.se. A
DNSSEC Trust tree:
dnssec.se. (A)
|---Existence is denied by:
|---dnssec.se. (NSEC _adsp._domainkey.dnssec.se. NS SOA TXT RRSIG NSEC DNSKEY
TYPE99 )
|---dnssec.se. (DNSKEY keytag: 12066)
|---dnssec.se. (DNSKEY keytag: 2467)
|---dnssec.se. (DNSKEY keytag: 54237)
Existence denied or verifiably insecure
;; Chase successful
- --------------
Anyway, thanks for reporting it just before we were about to release 1.6.0, I
think i have fixed it in the svn trunk now. I want to do a little more testing
next week, and if everything seems ok, this will be fixed in 1.6.0, due for
release very shortly now.
- --------------
jelte at dragon:/tmp> drill -k Kdnssec.se.+005+12066.key -D dnssec.se @secondary.se
<snip>
; Existence denied for dnssec.se. A
- --------------
jelte at dragon:/tmp> drill -k Kdnssec.se.+005+12066.key -D SOA dnssec.se @secondary.se
<snip>
; dnssec.se. 300 IN SOA ns.dnssec.se. jakob.kirei.se. 1246322701 3600 600 86400 300
; VALIDATED by id = 12066, owner = dnssec.se.
- --------------
Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkpOjSoACgkQ4nZCKsdOncVsfwCghcK9f/izFdCMORUHCHvUcgZv
TUsAoLcREJCyTIqbndPYa9o4PmD3XmJE
=h66C
-----END PGP SIGNATURE-----
More information about the ldns-users
mailing list