[ldns-users] drill problem

Pásztor János pasja at digitus.itk.ppke.hu
Wed Nov 11 14:14:45 UTC 2009


Hi everybody,

I think i found a bug in drill. I use BIND 9.6.0-P1 as a caching 
nameserver, compiled with openssl, and drill version 1.6.1 (ldns version 
1.6.1) Here is the problem:

a.  First i obtain the iis.se KSK:

    drill -D dnskey iis.se | grep DNSKEY | grep  ';{id = 18937' >iis.se.key

b. I try to check the www.iis.se signature validation, but it fails:

    drill -D www.iis.se -k ./iis.se.key
   
    and i've got this reply:

;; Number of trusted keys: 1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 53458
;; flags: qr aa rd ; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 8
;; QUESTION SECTION:
;; www.iis.se.    IN    A

;; ANSWER SECTION:
www.iis.se.    60    IN    A    212.247.7.221
www.iis.se.    60    IN    RRSIG    A 5 3 60 20091120152002 
20091110152002 54842 iis.se. 
GZH+TQWJXOtRn0Xc5AIIp0YP2xIt7A4MNUOclAVXo2w/KtZyEXddcdQQXmaGUnaEXqZz0Ievn6mrQ1Wd+gp3H+3uhl9CBN871ZnJWS7bTy2h1cobUXmAyzANzoyyaYGvmHmcNjlImyk8akID7S7Sn/xfNon4vOEeW+8LH2wfjVQ= 
;{id = 54842}

;; AUTHORITY SECTION:
iis.se.    3600    IN    NS    ns.nic.se.
iis.se.    3600    IN    NS    ns3.nic.se.
iis.se.    3600    IN    NS    ns2.nic.se.
iis.se.    3600    IN    RRSIG    NS 5 2 3600 20091120152002 
20091110152002 54842 iis.se. 
UXUCbJRzySiU69pByGw04Zbx52vBZ7zMYgpeHQRZpksLcYEUJyJGS0R6gW0h7YVIXPFPS0Vq8B+ySla2jU8e1imjiOrOtfs3/4XPXdyahJc3mGZpArMQXFzvQfmCz5ql6WNaVpKVESXuHegumvyLTCGUbAAKygEVGE56kKGN4KE= 
;{id = 54842}

;; ADDITIONAL SECTION:
ns.nic.se.    3600    IN    A    212.247.7.228
ns.nic.se.    3600    IN    AAAA    2a00:801:f0:53::53
ns2.nic.se.    3600    IN    A    194.17.45.54
ns3.nic.se.    60    IN    A    212.247.3.83
ns.nic.se.    3600    IN    RRSIG    A 5 3 3600 20091118132001 
20091108132001 32957 nic.se. 
IwOHSYjv/p6rwkaFnwSz2IhNUstfw7wcu1yo11hvWXQeGCvM2uKF1txy2ri5yAthvfFmr2qcBsHJStaDvI94UDqpsWsw8gpeDSHWzpIBgmqa9R+3UVkxCRhqA2Gnl+f7ABG/b/wM3FAJdZ5OK5myvQnpbSGVSdEvx2/CnpS7zb4= 
;{id = 32957}
ns.nic.se.    3600    IN    RRSIG    AAAA 5 3 3600 20091118132001 
20091108132001 32957 nic.se. 
BNLr7xenkuA1HDCaBYUO9SOGY8Cc4wvVmanQuXTTbFqb9VVmSBi+1hJffcJFLHzqV+Wovqy+fQtdzV6K/dp0qHY22yAbjvPb2/LSGkqoQDLGwnUqFW5eKO/mr+Kj9rnqRHDozwAefbOmaSGJ20B1zcQWpW8pNsY2UwNiJCSd2lE= 
;{id = 32957}
ns2.nic.se.    3600    IN    RRSIG    A 5 3 3600 20091118132001 
20091108132001 32957 nic.se. 
1TBBPX0+gZJItwsJ9G4/ul9+9vGGk3QynY7gmTzDLYs/d8i8kPOp7SQCN/JZNIJ4E2U4H1orlDKVWR9WPky4AXuxHMTkxphoYJGeTsFVpmk9iepuPgJpqK1v3rX3wVo4zYkk9x3GNi6OCRxG96t4zcTLV6rVIOGyvm+bhKgpLBI= 
;{id = 32957}
ns3.nic.se.    60    IN    RRSIG    A 5 3 60 20091118132001 
20091108132001 32957 nic.se. 
mzm4/IV0wxHHeIn8bagLpmwEOSBwfhtrB/u0oDNqHiCq/gzgxa2ykK3UrjBWl2FFrxgEon0Ss+EZrzpV7M2waTk4Cr52UlYMo0mFjo3RK2IH2Kc8nD5uXWhQRxAgSAuxyKIA5lPL5aIbKH6rgJJ+xB0RdZdFvYKWUdkWWp3fTcs= 
;{id = 32957}

;; Query time: 43 msec
;; EDNS: version 0; flags: do ; udp: 4096
;; SERVER: 212.247.7.228
;; WHEN: Wed Nov 11 15:05:39 2009
;; MSG SIZE  rcvd: 1184
; www.iis.se.    60    IN    A    212.247.7.221
; No keys with the keytag and algorithm from the RRSIG found for id = 
18937, owner = iis.se.

c. But if I do a trace, drill can succesfully validate the signatures

    drill -DT www.iis.se -k ./iis.se.key

and the reply:

;; Number of trusted keys: 1
;; Domain: .
;; No DNSKEY record found for .
;; No DS for se.;; No ds record for delegation
;; Domain: se.
;; Signature ok but no chain to a trusted key or ds record
[S] se. 3600 IN DNSKEY 257 3 5 ;{id = 8779 (ksk), size = 2048b}
se. 3600 IN DNSKEY 256 3 5 ;{id = 65091 (zsk), size = 1024b}
se. 3600 IN DNSKEY 256 3 5 ;{id = 12075 (zsk), size = 1024b}
se. 3600 IN DNSKEY 256 3 5 ;{id = 13173 (zsk), size = 1024b}
se. 3600 IN DNSKEY 257 3 5 ;{id = 49678 (ksk), size = 2048b}
Checking if signing key is trusted:
New key: se.    3600    IN    DNSKEY    256 3 5 
AwEAAceEVIj1a3+UxXB1w3IBpSJo74ptpZMN81NNTOOf7Of9AU38N6e/U1zzta8kvhOgXD+k4gnv85cEicBZhYv1NkKYcEXAMwtA2Gi8qbUlfJ4x3eu1s9hdVCxRXLoARJ3ZSldz8t4Bzg0daXHbswcMdcKHLDhtVAN5i/X7lrJrrH+h 
;{id = 13173 (zsk), size = 1024b}
    Trusted key: iis.se.    3479    IN    DNSKEY    257 3 5 
AwEAAcq5u+qe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs+LNVHF61lcxe504jhPmjeQ656X6t+dHpRz1DdPO/ukcIITjIRoJHqS+XXyL6gUluZoDU+K6vpxkGJx5m5n4boRTKCTUAR/9rw2+IQRRTtb6nBwsC3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMwQ4H9iKE9FhqPeIpzU9dnXGtJ+ZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioqqxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R+mrJYi0vE8jbXvhZ12151DywuSxbGjAlxk= 
;{id = 18937 (ksk), size = 2048b}
[S] iis.se. 3600 IN DS 18937 5 2 
b5c422428dea4137fbf15e1049a48d27fa5eade64d2ec9f3b58a994a6abde543
iis.se. 3600 IN DS 18937 5 1 10dd1efdc7841abfdf630c8bb37153724d70830a
;; Domain: iis.se.
[T] iis.se. 3600 IN DNSKEY 257 3 5 ;{id = 18937 (ksk), size = 2048b}
iis.se. 3600 IN DNSKEY 256 3 5 ;{id = 54842 (zsk), size = 1024b}
[T] Existence denied: www.iis.se. DS
;; No ds record for delegation
;; Domain: www.iis.se.
;; No DNSKEY record found for www.iis.se.
[T] www.iis.se.    60    IN    A    212.247.7.221
;;[S] self sig OK; [B] bogus; [T] trusted

Is this a bug in drill, or i did something wrong ?

Thanks !




More information about the ldns-users mailing list