[ldns-users] drill problem
W.C.A. Wijngaards
wouter at NLnetLabs.nl
Wed Nov 11 14:39:45 UTC 2009
Hi Pásztor,
a. OK.
b. the command drill -D name -k file does not perform validation.
If you are looking for the AD flag, this flag has to be set by
the recursor (BIND960 for you - enable dnssec for it to get that).
c. OK.
Is the documentation bad somewhere causing you to believe the -k does
stuff without -T ?
Best regards,
Wouter
On 11/11/2009 03:14 PM, Pásztor János wrote:
> Hi everybody,
>
> I think i found a bug in drill. I use BIND 9.6.0-P1 as a caching
> nameserver, compiled with openssl, and drill version 1.6.1 (ldns version
> 1.6.1) Here is the problem:
>
> a. First i obtain the iis.se KSK:
>
> drill -D dnskey iis.se | grep DNSKEY | grep ';{id = 18937' >iis.se.key
>
> b. I try to check the www.iis.se signature validation, but it fails:
>
> drill -D www.iis.se -k ./iis.se.key
> and i've got this reply:
>
> ;; Number of trusted keys: 1
> ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 53458
> ;; flags: qr aa rd ; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 8
> ;; QUESTION SECTION:
> ;; www.iis.se. IN A
>
> ;; ANSWER SECTION:
> www.iis.se. 60 IN A 212.247.7.221
> www.iis.se. 60 IN RRSIG A 5 3 60 20091120152002 20091110152002 54842
> iis.se.
> GZH+TQWJXOtRn0Xc5AIIp0YP2xIt7A4MNUOclAVXo2w/KtZyEXddcdQQXmaGUnaEXqZz0Ievn6mrQ1Wd+gp3H+3uhl9CBN871ZnJWS7bTy2h1cobUXmAyzANzoyyaYGvmHmcNjlImyk8akID7S7Sn/xfNon4vOEeW+8LH2wfjVQ=
> ;{id = 54842}
>
> ;; AUTHORITY SECTION:
> iis.se. 3600 IN NS ns.nic.se.
> iis.se. 3600 IN NS ns3.nic.se.
> iis.se. 3600 IN NS ns2.nic.se.
> iis.se. 3600 IN RRSIG NS 5 2 3600 20091120152002 20091110152002 54842
> iis.se.
> UXUCbJRzySiU69pByGw04Zbx52vBZ7zMYgpeHQRZpksLcYEUJyJGS0R6gW0h7YVIXPFPS0Vq8B+ySla2jU8e1imjiOrOtfs3/4XPXdyahJc3mGZpArMQXFzvQfmCz5ql6WNaVpKVESXuHegumvyLTCGUbAAKygEVGE56kKGN4KE=
> ;{id = 54842}
>
> ;; ADDITIONAL SECTION:
> ns.nic.se. 3600 IN A 212.247.7.228
> ns.nic.se. 3600 IN AAAA 2a00:801:f0:53::53
> ns2.nic.se. 3600 IN A 194.17.45.54
> ns3.nic.se. 60 IN A 212.247.3.83
> ns.nic.se. 3600 IN RRSIG A 5 3 3600 20091118132001 20091108132001 32957
> nic.se.
> IwOHSYjv/p6rwkaFnwSz2IhNUstfw7wcu1yo11hvWXQeGCvM2uKF1txy2ri5yAthvfFmr2qcBsHJStaDvI94UDqpsWsw8gpeDSHWzpIBgmqa9R+3UVkxCRhqA2Gnl+f7ABG/b/wM3FAJdZ5OK5myvQnpbSGVSdEvx2/CnpS7zb4=
> ;{id = 32957}
> ns.nic.se. 3600 IN RRSIG AAAA 5 3 3600 20091118132001 20091108132001
> 32957 nic.se.
> BNLr7xenkuA1HDCaBYUO9SOGY8Cc4wvVmanQuXTTbFqb9VVmSBi+1hJffcJFLHzqV+Wovqy+fQtdzV6K/dp0qHY22yAbjvPb2/LSGkqoQDLGwnUqFW5eKO/mr+Kj9rnqRHDozwAefbOmaSGJ20B1zcQWpW8pNsY2UwNiJCSd2lE=
> ;{id = 32957}
> ns2.nic.se. 3600 IN RRSIG A 5 3 3600 20091118132001 20091108132001 32957
> nic.se.
> 1TBBPX0+gZJItwsJ9G4/ul9+9vGGk3QynY7gmTzDLYs/d8i8kPOp7SQCN/JZNIJ4E2U4H1orlDKVWR9WPky4AXuxHMTkxphoYJGeTsFVpmk9iepuPgJpqK1v3rX3wVo4zYkk9x3GNi6OCRxG96t4zcTLV6rVIOGyvm+bhKgpLBI=
> ;{id = 32957}
> ns3.nic.se. 60 IN RRSIG A 5 3 60 20091118132001 20091108132001 32957
> nic.se.
> mzm4/IV0wxHHeIn8bagLpmwEOSBwfhtrB/u0oDNqHiCq/gzgxa2ykK3UrjBWl2FFrxgEon0Ss+EZrzpV7M2waTk4Cr52UlYMo0mFjo3RK2IH2Kc8nD5uXWhQRxAgSAuxyKIA5lPL5aIbKH6rgJJ+xB0RdZdFvYKWUdkWWp3fTcs=
> ;{id = 32957}
>
> ;; Query time: 43 msec
> ;; EDNS: version 0; flags: do ; udp: 4096
> ;; SERVER: 212.247.7.228
> ;; WHEN: Wed Nov 11 15:05:39 2009
> ;; MSG SIZE rcvd: 1184
> ; www.iis.se. 60 IN A 212.247.7.221
> ; No keys with the keytag and algorithm from the RRSIG found for id =
> 18937, owner = iis.se.
>
> c. But if I do a trace, drill can succesfully validate the signatures
>
> drill -DT www.iis.se -k ./iis.se.key
>
> and the reply:
>
> ;; Number of trusted keys: 1
> ;; Domain: .
> ;; No DNSKEY record found for .
> ;; No DS for se.;; No ds record for delegation
> ;; Domain: se.
> ;; Signature ok but no chain to a trusted key or ds record
> [S] se. 3600 IN DNSKEY 257 3 5 ;{id = 8779 (ksk), size = 2048b}
> se. 3600 IN DNSKEY 256 3 5 ;{id = 65091 (zsk), size = 1024b}
> se. 3600 IN DNSKEY 256 3 5 ;{id = 12075 (zsk), size = 1024b}
> se. 3600 IN DNSKEY 256 3 5 ;{id = 13173 (zsk), size = 1024b}
> se. 3600 IN DNSKEY 257 3 5 ;{id = 49678 (ksk), size = 2048b}
> Checking if signing key is trusted:
> New key: se. 3600 IN DNSKEY 256 3 5
> AwEAAceEVIj1a3+UxXB1w3IBpSJo74ptpZMN81NNTOOf7Of9AU38N6e/U1zzta8kvhOgXD+k4gnv85cEicBZhYv1NkKYcEXAMwtA2Gi8qbUlfJ4x3eu1s9hdVCxRXLoARJ3ZSldz8t4Bzg0daXHbswcMdcKHLDhtVAN5i/X7lrJrrH+h
> ;{id = 13173 (zsk), size = 1024b}
> Trusted key: iis.se. 3479 IN DNSKEY 257 3 5
> AwEAAcq5u+qe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs+LNVHF61lcxe504jhPmjeQ656X6t+dHpRz1DdPO/ukcIITjIRoJHqS+XXyL6gUluZoDU+K6vpxkGJx5m5n4boRTKCTUAR/9rw2+IQRRTtb6nBwsC3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMwQ4H9iKE9FhqPeIpzU9dnXGtJ+ZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioqqxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R+mrJYi0vE8jbXvhZ12151DywuSxbGjAlxk=
> ;{id = 18937 (ksk), size = 2048b}
> [S] iis.se. 3600 IN DS 18937 5 2
> b5c422428dea4137fbf15e1049a48d27fa5eade64d2ec9f3b58a994a6abde543
> iis.se. 3600 IN DS 18937 5 1 10dd1efdc7841abfdf630c8bb37153724d70830a
> ;; Domain: iis.se.
> [T] iis.se. 3600 IN DNSKEY 257 3 5 ;{id = 18937 (ksk), size = 2048b}
> iis.se. 3600 IN DNSKEY 256 3 5 ;{id = 54842 (zsk), size = 1024b}
> [T] Existence denied: www.iis.se. DS
> ;; No ds record for delegation
> ;; Domain: www.iis.se.
> ;; No DNSKEY record found for www.iis.se.
> [T] www.iis.se. 60 IN A 212.247.7.221
> ;;[S] self sig OK; [B] bogus; [T] trusted
>
> Is this a bug in drill, or i did something wrong ?
>
> Thanks !
>
> _______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users
More information about the ldns-users
mailing list