From wouter at NLnetLabs.nl Tue Nov 10 08:27:08 2009 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Tue, 10 Nov 2009 09:27:08 +0100 Subject: [ldns-users] EDNS0 In-Reply-To: <6E8F06D7-5E89-4C68-99AF-C4CAD63BF5B1@alcatel-lucent.be> References: <6E8F06D7-5E89-4C68-99AF-C4CAD63BF5B1@alcatel-lucent.be> Message-ID: <4AF923DC.10109@nlnetlabs.nl> Hi Johan, You have to use the dynamic update format, as it is specified in its RFC. There is an example ldns-update that makes dynamic update request packets. Best regards, Wouter On 09/29/2009 03:16 PM, Johan Moreels wrote: > Hi, > > I tried to use your library in order to update DNS using update leases. > How can I add the lease time to the DNS query? > > Johan Moreels > _____________________________ > Johan Moreels > Senior Research Engineer > tel: (+32) 3 240 4210 > gsm: (+32) 477 500088 > e-mail: johan.moreels at alcatel-lucent.be > > > Alcatel-Lucent Bell N.V. > Bell Labs > Copernicuslaan 50 > 2018 Antwerpen > Belgium > Fortis 220-0002334-42 > VAT BE 0404 621 642 Register of Legal Entities Antwerp > > This message (including any attachments) contains confidential > information intended for a specific individual and purpose, and is > protected by law. If you are not the intended recipient, you should > delete this message. Any disclosure, copying, or distribution of this > message, or the taking of any action based on it, is strictly prohibited > without the prior consent of its author. > > > > > > > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users From pasja at digitus.itk.ppke.hu Wed Nov 11 14:14:45 2009 From: pasja at digitus.itk.ppke.hu (=?ISO-8859-2?Q?P=E1sztor_J=E1nos?=) Date: Wed, 11 Nov 2009 15:14:45 +0100 Subject: [ldns-users] drill problem Message-ID: <4AFAC6D5.6070107@digitus.itk.ppke.hu> Hi everybody, I think i found a bug in drill. I use BIND 9.6.0-P1 as a caching nameserver, compiled with openssl, and drill version 1.6.1 (ldns version 1.6.1) Here is the problem: a. First i obtain the iis.se KSK: drill -D dnskey iis.se | grep DNSKEY | grep ';{id = 18937' >iis.se.key b. I try to check the www.iis.se signature validation, but it fails: drill -D www.iis.se -k ./iis.se.key and i've got this reply: ;; Number of trusted keys: 1 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 53458 ;; flags: qr aa rd ; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 8 ;; QUESTION SECTION: ;; www.iis.se. IN A ;; ANSWER SECTION: www.iis.se. 60 IN A 212.247.7.221 www.iis.se. 60 IN RRSIG A 5 3 60 20091120152002 20091110152002 54842 iis.se. GZH+TQWJXOtRn0Xc5AIIp0YP2xIt7A4MNUOclAVXo2w/KtZyEXddcdQQXmaGUnaEXqZz0Ievn6mrQ1Wd+gp3H+3uhl9CBN871ZnJWS7bTy2h1cobUXmAyzANzoyyaYGvmHmcNjlImyk8akID7S7Sn/xfNon4vOEeW+8LH2wfjVQ= ;{id = 54842} ;; AUTHORITY SECTION: iis.se. 3600 IN NS ns.nic.se. iis.se. 3600 IN NS ns3.nic.se. iis.se. 3600 IN NS ns2.nic.se. iis.se. 3600 IN RRSIG NS 5 2 3600 20091120152002 20091110152002 54842 iis.se. UXUCbJRzySiU69pByGw04Zbx52vBZ7zMYgpeHQRZpksLcYEUJyJGS0R6gW0h7YVIXPFPS0Vq8B+ySla2jU8e1imjiOrOtfs3/4XPXdyahJc3mGZpArMQXFzvQfmCz5ql6WNaVpKVESXuHegumvyLTCGUbAAKygEVGE56kKGN4KE= ;{id = 54842} ;; ADDITIONAL SECTION: ns.nic.se. 3600 IN A 212.247.7.228 ns.nic.se. 3600 IN AAAA 2a00:801:f0:53::53 ns2.nic.se. 3600 IN A 194.17.45.54 ns3.nic.se. 60 IN A 212.247.3.83 ns.nic.se. 3600 IN RRSIG A 5 3 3600 20091118132001 20091108132001 32957 nic.se. IwOHSYjv/p6rwkaFnwSz2IhNUstfw7wcu1yo11hvWXQeGCvM2uKF1txy2ri5yAthvfFmr2qcBsHJStaDvI94UDqpsWsw8gpeDSHWzpIBgmqa9R+3UVkxCRhqA2Gnl+f7ABG/b/wM3FAJdZ5OK5myvQnpbSGVSdEvx2/CnpS7zb4= ;{id = 32957} ns.nic.se. 3600 IN RRSIG AAAA 5 3 3600 20091118132001 20091108132001 32957 nic.se. BNLr7xenkuA1HDCaBYUO9SOGY8Cc4wvVmanQuXTTbFqb9VVmSBi+1hJffcJFLHzqV+Wovqy+fQtdzV6K/dp0qHY22yAbjvPb2/LSGkqoQDLGwnUqFW5eKO/mr+Kj9rnqRHDozwAefbOmaSGJ20B1zcQWpW8pNsY2UwNiJCSd2lE= ;{id = 32957} ns2.nic.se. 3600 IN RRSIG A 5 3 3600 20091118132001 20091108132001 32957 nic.se. 1TBBPX0+gZJItwsJ9G4/ul9+9vGGk3QynY7gmTzDLYs/d8i8kPOp7SQCN/JZNIJ4E2U4H1orlDKVWR9WPky4AXuxHMTkxphoYJGeTsFVpmk9iepuPgJpqK1v3rX3wVo4zYkk9x3GNi6OCRxG96t4zcTLV6rVIOGyvm+bhKgpLBI= ;{id = 32957} ns3.nic.se. 60 IN RRSIG A 5 3 60 20091118132001 20091108132001 32957 nic.se. mzm4/IV0wxHHeIn8bagLpmwEOSBwfhtrB/u0oDNqHiCq/gzgxa2ykK3UrjBWl2FFrxgEon0Ss+EZrzpV7M2waTk4Cr52UlYMo0mFjo3RK2IH2Kc8nD5uXWhQRxAgSAuxyKIA5lPL5aIbKH6rgJJ+xB0RdZdFvYKWUdkWWp3fTcs= ;{id = 32957} ;; Query time: 43 msec ;; EDNS: version 0; flags: do ; udp: 4096 ;; SERVER: 212.247.7.228 ;; WHEN: Wed Nov 11 15:05:39 2009 ;; MSG SIZE rcvd: 1184 ; www.iis.se. 60 IN A 212.247.7.221 ; No keys with the keytag and algorithm from the RRSIG found for id = 18937, owner = iis.se. c. But if I do a trace, drill can succesfully validate the signatures drill -DT www.iis.se -k ./iis.se.key and the reply: ;; Number of trusted keys: 1 ;; Domain: . ;; No DNSKEY record found for . ;; No DS for se.;; No ds record for delegation ;; Domain: se. ;; Signature ok but no chain to a trusted key or ds record [S] se. 3600 IN DNSKEY 257 3 5 ;{id = 8779 (ksk), size = 2048b} se. 3600 IN DNSKEY 256 3 5 ;{id = 65091 (zsk), size = 1024b} se. 3600 IN DNSKEY 256 3 5 ;{id = 12075 (zsk), size = 1024b} se. 3600 IN DNSKEY 256 3 5 ;{id = 13173 (zsk), size = 1024b} se. 3600 IN DNSKEY 257 3 5 ;{id = 49678 (ksk), size = 2048b} Checking if signing key is trusted: New key: se. 3600 IN DNSKEY 256 3 5 AwEAAceEVIj1a3+UxXB1w3IBpSJo74ptpZMN81NNTOOf7Of9AU38N6e/U1zzta8kvhOgXD+k4gnv85cEicBZhYv1NkKYcEXAMwtA2Gi8qbUlfJ4x3eu1s9hdVCxRXLoARJ3ZSldz8t4Bzg0daXHbswcMdcKHLDhtVAN5i/X7lrJrrH+h ;{id = 13173 (zsk), size = 1024b} Trusted key: iis.se. 3479 IN DNSKEY 257 3 5 AwEAAcq5u+qe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs+LNVHF61lcxe504jhPmjeQ656X6t+dHpRz1DdPO/ukcIITjIRoJHqS+XXyL6gUluZoDU+K6vpxkGJx5m5n4boRTKCTUAR/9rw2+IQRRTtb6nBwsC3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMwQ4H9iKE9FhqPeIpzU9dnXGtJ+ZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioqqxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R+mrJYi0vE8jbXvhZ12151DywuSxbGjAlxk= ;{id = 18937 (ksk), size = 2048b} [S] iis.se. 3600 IN DS 18937 5 2 b5c422428dea4137fbf15e1049a48d27fa5eade64d2ec9f3b58a994a6abde543 iis.se. 3600 IN DS 18937 5 1 10dd1efdc7841abfdf630c8bb37153724d70830a ;; Domain: iis.se. [T] iis.se. 3600 IN DNSKEY 257 3 5 ;{id = 18937 (ksk), size = 2048b} iis.se. 3600 IN DNSKEY 256 3 5 ;{id = 54842 (zsk), size = 1024b} [T] Existence denied: www.iis.se. DS ;; No ds record for delegation ;; Domain: www.iis.se. ;; No DNSKEY record found for www.iis.se. [T] www.iis.se. 60 IN A 212.247.7.221 ;;[S] self sig OK; [B] bogus; [T] trusted Is this a bug in drill, or i did something wrong ? Thanks ! From wouter at NLnetLabs.nl Wed Nov 11 14:39:45 2009 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Wed, 11 Nov 2009 15:39:45 +0100 Subject: [ldns-users] drill problem In-Reply-To: <4AFAC6D5.6070107@digitus.itk.ppke.hu> References: <4AFAC6D5.6070107@digitus.itk.ppke.hu> Message-ID: <4AFACCB1.1060709@nlnetlabs.nl> Hi P?sztor, a. OK. b. the command drill -D name -k file does not perform validation. If you are looking for the AD flag, this flag has to be set by the recursor (BIND960 for you - enable dnssec for it to get that). c. OK. Is the documentation bad somewhere causing you to believe the -k does stuff without -T ? Best regards, Wouter On 11/11/2009 03:14 PM, P?sztor J?nos wrote: > Hi everybody, > > I think i found a bug in drill. I use BIND 9.6.0-P1 as a caching > nameserver, compiled with openssl, and drill version 1.6.1 (ldns version > 1.6.1) Here is the problem: > > a. First i obtain the iis.se KSK: > > drill -D dnskey iis.se | grep DNSKEY | grep ';{id = 18937' >iis.se.key > > b. I try to check the www.iis.se signature validation, but it fails: > > drill -D www.iis.se -k ./iis.se.key > and i've got this reply: > > ;; Number of trusted keys: 1 > ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 53458 > ;; flags: qr aa rd ; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 8 > ;; QUESTION SECTION: > ;; www.iis.se. IN A > > ;; ANSWER SECTION: > www.iis.se. 60 IN A 212.247.7.221 > www.iis.se. 60 IN RRSIG A 5 3 60 20091120152002 20091110152002 54842 > iis.se. > GZH+TQWJXOtRn0Xc5AIIp0YP2xIt7A4MNUOclAVXo2w/KtZyEXddcdQQXmaGUnaEXqZz0Ievn6mrQ1Wd+gp3H+3uhl9CBN871ZnJWS7bTy2h1cobUXmAyzANzoyyaYGvmHmcNjlImyk8akID7S7Sn/xfNon4vOEeW+8LH2wfjVQ= > ;{id = 54842} > > ;; AUTHORITY SECTION: > iis.se. 3600 IN NS ns.nic.se. > iis.se. 3600 IN NS ns3.nic.se. > iis.se. 3600 IN NS ns2.nic.se. > iis.se. 3600 IN RRSIG NS 5 2 3600 20091120152002 20091110152002 54842 > iis.se. > UXUCbJRzySiU69pByGw04Zbx52vBZ7zMYgpeHQRZpksLcYEUJyJGS0R6gW0h7YVIXPFPS0Vq8B+ySla2jU8e1imjiOrOtfs3/4XPXdyahJc3mGZpArMQXFzvQfmCz5ql6WNaVpKVESXuHegumvyLTCGUbAAKygEVGE56kKGN4KE= > ;{id = 54842} > > ;; ADDITIONAL SECTION: > ns.nic.se. 3600 IN A 212.247.7.228 > ns.nic.se. 3600 IN AAAA 2a00:801:f0:53::53 > ns2.nic.se. 3600 IN A 194.17.45.54 > ns3.nic.se. 60 IN A 212.247.3.83 > ns.nic.se. 3600 IN RRSIG A 5 3 3600 20091118132001 20091108132001 32957 > nic.se. > IwOHSYjv/p6rwkaFnwSz2IhNUstfw7wcu1yo11hvWXQeGCvM2uKF1txy2ri5yAthvfFmr2qcBsHJStaDvI94UDqpsWsw8gpeDSHWzpIBgmqa9R+3UVkxCRhqA2Gnl+f7ABG/b/wM3FAJdZ5OK5myvQnpbSGVSdEvx2/CnpS7zb4= > ;{id = 32957} > ns.nic.se. 3600 IN RRSIG AAAA 5 3 3600 20091118132001 20091108132001 > 32957 nic.se. > BNLr7xenkuA1HDCaBYUO9SOGY8Cc4wvVmanQuXTTbFqb9VVmSBi+1hJffcJFLHzqV+Wovqy+fQtdzV6K/dp0qHY22yAbjvPb2/LSGkqoQDLGwnUqFW5eKO/mr+Kj9rnqRHDozwAefbOmaSGJ20B1zcQWpW8pNsY2UwNiJCSd2lE= > ;{id = 32957} > ns2.nic.se. 3600 IN RRSIG A 5 3 3600 20091118132001 20091108132001 32957 > nic.se. > 1TBBPX0+gZJItwsJ9G4/ul9+9vGGk3QynY7gmTzDLYs/d8i8kPOp7SQCN/JZNIJ4E2U4H1orlDKVWR9WPky4AXuxHMTkxphoYJGeTsFVpmk9iepuPgJpqK1v3rX3wVo4zYkk9x3GNi6OCRxG96t4zcTLV6rVIOGyvm+bhKgpLBI= > ;{id = 32957} > ns3.nic.se. 60 IN RRSIG A 5 3 60 20091118132001 20091108132001 32957 > nic.se. > mzm4/IV0wxHHeIn8bagLpmwEOSBwfhtrB/u0oDNqHiCq/gzgxa2ykK3UrjBWl2FFrxgEon0Ss+EZrzpV7M2waTk4Cr52UlYMo0mFjo3RK2IH2Kc8nD5uXWhQRxAgSAuxyKIA5lPL5aIbKH6rgJJ+xB0RdZdFvYKWUdkWWp3fTcs= > ;{id = 32957} > > ;; Query time: 43 msec > ;; EDNS: version 0; flags: do ; udp: 4096 > ;; SERVER: 212.247.7.228 > ;; WHEN: Wed Nov 11 15:05:39 2009 > ;; MSG SIZE rcvd: 1184 > ; www.iis.se. 60 IN A 212.247.7.221 > ; No keys with the keytag and algorithm from the RRSIG found for id = > 18937, owner = iis.se. > > c. But if I do a trace, drill can succesfully validate the signatures > > drill -DT www.iis.se -k ./iis.se.key > > and the reply: > > ;; Number of trusted keys: 1 > ;; Domain: . > ;; No DNSKEY record found for . > ;; No DS for se.;; No ds record for delegation > ;; Domain: se. > ;; Signature ok but no chain to a trusted key or ds record > [S] se. 3600 IN DNSKEY 257 3 5 ;{id = 8779 (ksk), size = 2048b} > se. 3600 IN DNSKEY 256 3 5 ;{id = 65091 (zsk), size = 1024b} > se. 3600 IN DNSKEY 256 3 5 ;{id = 12075 (zsk), size = 1024b} > se. 3600 IN DNSKEY 256 3 5 ;{id = 13173 (zsk), size = 1024b} > se. 3600 IN DNSKEY 257 3 5 ;{id = 49678 (ksk), size = 2048b} > Checking if signing key is trusted: > New key: se. 3600 IN DNSKEY 256 3 5 > AwEAAceEVIj1a3+UxXB1w3IBpSJo74ptpZMN81NNTOOf7Of9AU38N6e/U1zzta8kvhOgXD+k4gnv85cEicBZhYv1NkKYcEXAMwtA2Gi8qbUlfJ4x3eu1s9hdVCxRXLoARJ3ZSldz8t4Bzg0daXHbswcMdcKHLDhtVAN5i/X7lrJrrH+h > ;{id = 13173 (zsk), size = 1024b} > Trusted key: iis.se. 3479 IN DNSKEY 257 3 5 > AwEAAcq5u+qe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs+LNVHF61lcxe504jhPmjeQ656X6t+dHpRz1DdPO/ukcIITjIRoJHqS+XXyL6gUluZoDU+K6vpxkGJx5m5n4boRTKCTUAR/9rw2+IQRRTtb6nBwsC3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMwQ4H9iKE9FhqPeIpzU9dnXGtJ+ZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioqqxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R+mrJYi0vE8jbXvhZ12151DywuSxbGjAlxk= > ;{id = 18937 (ksk), size = 2048b} > [S] iis.se. 3600 IN DS 18937 5 2 > b5c422428dea4137fbf15e1049a48d27fa5eade64d2ec9f3b58a994a6abde543 > iis.se. 3600 IN DS 18937 5 1 10dd1efdc7841abfdf630c8bb37153724d70830a > ;; Domain: iis.se. > [T] iis.se. 3600 IN DNSKEY 257 3 5 ;{id = 18937 (ksk), size = 2048b} > iis.se. 3600 IN DNSKEY 256 3 5 ;{id = 54842 (zsk), size = 1024b} > [T] Existence denied: www.iis.se. DS > ;; No ds record for delegation > ;; Domain: www.iis.se. > ;; No DNSKEY record found for www.iis.se. > [T] www.iis.se. 60 IN A 212.247.7.221 > ;;[S] self sig OK; [B] bogus; [T] trusted > > Is this a bug in drill, or i did something wrong ? > > Thanks ! > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users From pasja at digitus.itk.ppke.hu Wed Nov 11 16:31:32 2009 From: pasja at digitus.itk.ppke.hu (=?ISO-8859-1?Q?P=E1sztor_J=E1nos?=) Date: Wed, 11 Nov 2009 17:31:32 +0100 Subject: [ldns-users] drill problem In-Reply-To: <4AFACCB1.1060709@nlnetlabs.nl> References: <4AFAC6D5.6070107@digitus.itk.ppke.hu> <4AFACCB1.1060709@nlnetlabs.nl> Message-ID: <4AFAE6E4.80709@digitus.itk.ppke.hu> Hi, Thanks for your quick reply! d. I continue my testing with drill. If i try to use the -S and -D then i get: drill -DS iis.se -k ./iis.se.key ;; Number of trusted keys: 1 ;; Chasing: iis.se. A DNSSEC Trust tree: iis.se. (A) No trusted keys found in tree: first error was: No DNSSEC public key(s) ;; Chase failed. I think it has to print out a tree, but i get this error message. If i use the ns.nic.se nameserver, i've got the tree, but the error remains here: drill @ns.nic.se -DS iis.se -k ./iis.se.key ;; Number of trusted keys: 1 ;; Chasing: iis.se. A error: Error creating socket error: No nameservers defined in the resolver DNSSEC Trust tree: iis.se. (A) |---iis.se. (DNSKEY keytag: 54842 alg: 5 flags: 256) No trusted keys found in tree: first error was: No DNSSEC public key(s) ;; Chase failed. Btw: if drill -D name -k file does not perform validation, why i get an error in the end of the reply: ; No keys with the keytag and algorithm from the RRSIG found for id = 18937, owner = iis.se. e. Can my problem related to this, what i've found in the archives: http://open.nlnetlabs.nl/pipermail/ldns-users/2009-July/000152.html I've also found this in the archives, in the same thread: Jelte uses drill -D name -k file in his reply and for him it checks signatures: drill -k Kdnssec.se.+005+12066.key -D SOA dnssec.se @secondary.se ; dnssec.se. 300 IN SOA ns.dnssec.se. jakob.kirei.se. 1246322701 3600 600 86400 300 ; VALIDATED by id = 12066, owner = dnssec.se. Sorry for the bad grammar. English is not my native :) Bye! W.C.A. Wijngaards ?rta: > Hi P?sztor, > > a. OK. > b. the command drill -D name -k file does not perform validation. > If you are looking for the AD flag, this flag has to be set by > the recursor (BIND960 for you - enable dnssec for it to get that). > c. OK. > > Is the documentation bad somewhere causing you to believe the -k does > stuff without -T ? > > Best regards, > Wouter > > On 11/11/2009 03:14 PM, P?sztor J?nos wrote: >> Hi everybody, >> >> I think i found a bug in drill. I use BIND 9.6.0-P1 as a caching >> nameserver, compiled with openssl, and drill version 1.6.1 (ldns version >> 1.6.1) Here is the problem: >> >> a. First i obtain the iis.se KSK: >> >> drill -D dnskey iis.se | grep DNSKEY | grep ';{id = 18937' >iis.se.key >> >> b. I try to check the www.iis.se signature validation, but it fails: >> >> drill -D www.iis.se -k ./iis.se.key >> and i've got this reply: >> >> ;; Number of trusted keys: 1 >> ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 53458 >> ;; flags: qr aa rd ; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 8 >> ;; QUESTION SECTION: >> ;; www.iis.se. IN A >> >> ;; ANSWER SECTION: >> www.iis.se. 60 IN A 212.247.7.221 >> www.iis.se. 60 IN RRSIG A 5 3 60 20091120152002 20091110152002 54842 >> iis.se. >> GZH+TQWJXOtRn0Xc5AIIp0YP2xIt7A4MNUOclAVXo2w/KtZyEXddcdQQXmaGUnaEXqZz0Ievn6mrQ1Wd+gp3H+3uhl9CBN871ZnJWS7bTy2h1cobUXmAyzANzoyyaYGvmHmcNjlImyk8akID7S7Sn/xfNon4vOEeW+8LH2wfjVQ= >> >> ;{id = 54842} >> >> ;; AUTHORITY SECTION: >> iis.se. 3600 IN NS ns.nic.se. >> iis.se. 3600 IN NS ns3.nic.se. >> iis.se. 3600 IN NS ns2.nic.se. >> iis.se. 3600 IN RRSIG NS 5 2 3600 20091120152002 20091110152002 54842 >> iis.se. >> UXUCbJRzySiU69pByGw04Zbx52vBZ7zMYgpeHQRZpksLcYEUJyJGS0R6gW0h7YVIXPFPS0Vq8B+ySla2jU8e1imjiOrOtfs3/4XPXdyahJc3mGZpArMQXFzvQfmCz5ql6WNaVpKVESXuHegumvyLTCGUbAAKygEVGE56kKGN4KE= >> >> ;{id = 54842} >> >> ;; ADDITIONAL SECTION: >> ns.nic.se. 3600 IN A 212.247.7.228 >> ns.nic.se. 3600 IN AAAA 2a00:801:f0:53::53 >> ns2.nic.se. 3600 IN A 194.17.45.54 >> ns3.nic.se. 60 IN A 212.247.3.83 >> ns.nic.se. 3600 IN RRSIG A 5 3 3600 20091118132001 20091108132001 32957 >> nic.se. >> IwOHSYjv/p6rwkaFnwSz2IhNUstfw7wcu1yo11hvWXQeGCvM2uKF1txy2ri5yAthvfFmr2qcBsHJStaDvI94UDqpsWsw8gpeDSHWzpIBgmqa9R+3UVkxCRhqA2Gnl+f7ABG/b/wM3FAJdZ5OK5myvQnpbSGVSdEvx2/CnpS7zb4= >> >> ;{id = 32957} >> ns.nic.se. 3600 IN RRSIG AAAA 5 3 3600 20091118132001 20091108132001 >> 32957 nic.se. >> BNLr7xenkuA1HDCaBYUO9SOGY8Cc4wvVmanQuXTTbFqb9VVmSBi+1hJffcJFLHzqV+Wovqy+fQtdzV6K/dp0qHY22yAbjvPb2/LSGkqoQDLGwnUqFW5eKO/mr+Kj9rnqRHDozwAefbOmaSGJ20B1zcQWpW8pNsY2UwNiJCSd2lE= >> >> ;{id = 32957} >> ns2.nic.se. 3600 IN RRSIG A 5 3 3600 20091118132001 20091108132001 32957 >> nic.se. >> 1TBBPX0+gZJItwsJ9G4/ul9+9vGGk3QynY7gmTzDLYs/d8i8kPOp7SQCN/JZNIJ4E2U4H1orlDKVWR9WPky4AXuxHMTkxphoYJGeTsFVpmk9iepuPgJpqK1v3rX3wVo4zYkk9x3GNi6OCRxG96t4zcTLV6rVIOGyvm+bhKgpLBI= >> >> ;{id = 32957} >> ns3.nic.se. 60 IN RRSIG A 5 3 60 20091118132001 20091108132001 32957 >> nic.se. >> mzm4/IV0wxHHeIn8bagLpmwEOSBwfhtrB/u0oDNqHiCq/gzgxa2ykK3UrjBWl2FFrxgEon0Ss+EZrzpV7M2waTk4Cr52UlYMo0mFjo3RK2IH2Kc8nD5uXWhQRxAgSAuxyKIA5lPL5aIbKH6rgJJ+xB0RdZdFvYKWUdkWWp3fTcs= >> >> ;{id = 32957} >> >> ;; Query time: 43 msec >> ;; EDNS: version 0; flags: do ; udp: 4096 >> ;; SERVER: 212.247.7.228 >> ;; WHEN: Wed Nov 11 15:05:39 2009 >> ;; MSG SIZE rcvd: 1184 >> ; www.iis.se. 60 IN A 212.247.7.221 >> ; No keys with the keytag and algorithm from the RRSIG found for id = >> 18937, owner = iis.se. >> >> c. But if I do a trace, drill can succesfully validate the signatures >> >> drill -DT www.iis.se -k ./iis.se.key >> >> and the reply: >> >> ;; Number of trusted keys: 1 >> ;; Domain: . >> ;; No DNSKEY record found for . >> ;; No DS for se.;; No ds record for delegation >> ;; Domain: se. >> ;; Signature ok but no chain to a trusted key or ds record >> [S] se. 3600 IN DNSKEY 257 3 5 ;{id = 8779 (ksk), size = 2048b} >> se. 3600 IN DNSKEY 256 3 5 ;{id = 65091 (zsk), size = 1024b} >> se. 3600 IN DNSKEY 256 3 5 ;{id = 12075 (zsk), size = 1024b} >> se. 3600 IN DNSKEY 256 3 5 ;{id = 13173 (zsk), size = 1024b} >> se. 3600 IN DNSKEY 257 3 5 ;{id = 49678 (ksk), size = 2048b} >> Checking if signing key is trusted: >> New key: se. 3600 IN DNSKEY 256 3 5 >> AwEAAceEVIj1a3+UxXB1w3IBpSJo74ptpZMN81NNTOOf7Of9AU38N6e/U1zzta8kvhOgXD+k4gnv85cEicBZhYv1NkKYcEXAMwtA2Gi8qbUlfJ4x3eu1s9hdVCxRXLoARJ3ZSldz8t4Bzg0daXHbswcMdcKHLDhtVAN5i/X7lrJrrH+h >> >> ;{id = 13173 (zsk), size = 1024b} >> Trusted key: iis.se. 3479 IN DNSKEY 257 3 5 >> AwEAAcq5u+qe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs+LNVHF61lcxe504jhPmjeQ656X6t+dHpRz1DdPO/ukcIITjIRoJHqS+XXyL6gUluZoDU+K6vpxkGJx5m5n4boRTKCTUAR/9rw2+IQRRTtb6nBwsC3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMwQ4H9iKE9FhqPeIpzU9dnXGtJ+ZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioqqxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R+mrJYi0vE8jbXvhZ12151DywuSxbGjAlxk= >> >> ;{id = 18937 (ksk), size = 2048b} >> [S] iis.se. 3600 IN DS 18937 5 2 >> b5c422428dea4137fbf15e1049a48d27fa5eade64d2ec9f3b58a994a6abde543 >> iis.se. 3600 IN DS 18937 5 1 10dd1efdc7841abfdf630c8bb37153724d70830a >> ;; Domain: iis.se. >> [T] iis.se. 3600 IN DNSKEY 257 3 5 ;{id = 18937 (ksk), size = 2048b} >> iis.se. 3600 IN DNSKEY 256 3 5 ;{id = 54842 (zsk), size = 1024b} >> [T] Existence denied: www.iis.se. DS >> ;; No ds record for delegation >> ;; Domain: www.iis.se. >> ;; No DNSKEY record found for www.iis.se. >> [T] www.iis.se. 60 IN A 212.247.7.221 >> ;;[S] self sig OK; [B] bogus; [T] trusted >> >> Is this a bug in drill, or i did something wrong ? >> >> Thanks ! >> >> _______________________________________________ >> ldns-users mailing list >> ldns-users at open.nlnetlabs.nl >> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users From matthijs at NLnetLabs.nl Thu Nov 12 10:55:53 2009 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Thu, 12 Nov 2009 11:55:53 +0100 Subject: [ldns-users] ldns 1.6.2 released Message-ID: <4AFBE9B9.9010008@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, A new release of ldns, version 1.6.2, has been released this morning. We have enabled SHA2 by default. Be aware that old versions of OpenSSL don't support the SHA2 functions, so you might need to update your OpenSSL to 0.9.8 or higher, or you need to disable SHA2 with --disable-sha2 to make ldns work. Furthermore, this release contains two more features and lots of bug fixes, see the Changelog below. The release can be downloaded at: http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.2.tar.gz Sha1sum: d8650b9466f5f2793ef72a1e571606c8479b5cf7 Hope you like it. Matthijs Changelog: 1.6.2 2009-11-05 * Fix Makefile patch from Havard Eidnes, better install.sh usage. * Fix parse error on SOA serial of 2910532839. Fix print of ';' and readback of '\;' in names, also for '\\'. Fix parse of '\(' and '\)' in names. Also for file read. Also '\.' * Fix signature creation when TTLs are different for RRs in RRset. * bug273: fix so EDNS rdata is included in pkt to wire conversion. * bug274: fix use of c++ keyword 'class' for RR class in the code. * bug275: fix memory leak of packet edns rdata. * Fix timeout procedure for TCP and AXFR on Solaris. * Fix occasional NSEC bitmap bogus * Fix rr comparing (was in reversed order since 1.6.0) * bug278: fix parsing HINFO rdata (and other cases). * Fix previous owner name: also pick up if owner name is @. * RFC5702: enabled sha2 functions by default. This requires OpenSSL 0.9.8 or higher. Reason for this default is the root to be signed with RSASHA256. * Fix various LDNS RR parsing issues: IPSECKEY, WKS, NSAP, very long lines * Fix: Make ldns_dname_is_subdomain case insensitive. * Fix ldns-verify-zone so that address records at zone NS set are not considered glue (Or glue records fall below delegation) * Fix LOC RR altitude printing. * Feature: Added period (e.g. '3m6d') support at explicit TTLs. * Feature: DNSKEY rrset by default signed with minimal signatures but -A option for ldns-signzone to sign it with all keys. This makes the DNSKEY responses smaller for signed domains. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJK++msAAoJEA8yVCPsQCW5WZsIAKAk6kFm7FLthibQ/X0Y2Z4P b6T1yVpL8jLMeqHaJy6vBpJj99vLdu6a1jSeInxAB5fEJG94i3AMRYjx9V8zsjx/ ZnHLtFrWQRt3X87pxDNXdl2BNnoqdIwlRrQ53v/P6o9tdVabs0w9B6Ngpd2FaxJN JpHZWuRrHvBzTs+05dltA2q1eD1atpuA4tQmiuFkZkQDQG2XcDsA3lRelxM+FieQ 5NTq7vNPH2C5/zOdiFm0tzyXYOBwSiSpGRT7rg35XL6tkT7jtjKuTV31p4XZaMgO UrFHZ9Ev4HWRgl6B7ZqnHm8nb4c8OkCLEAv9Qv5PJgzU9sXbANk+Y65ABaF1TWU= =obp8 -----END PGP SIGNATURE-----