[ldns-users] drill problem
Pásztor János
pasja at digitus.itk.ppke.hu
Wed Nov 11 16:31:32 UTC 2009
Hi,
Thanks for your quick reply!
d. I continue my testing with drill. If i try to use the -S and -D then
i get:
drill -DS iis.se -k ./iis.se.key
;; Number of trusted keys: 1
;; Chasing: iis.se. A
DNSSEC Trust tree:
iis.se. (A)
No trusted keys found in tree: first error was: No DNSSEC public key(s)
;; Chase failed.
I think it has to print out a tree, but i get this error message.
If i use the ns.nic.se nameserver, i've got the tree, but the error
remains here:
drill @ns.nic.se -DS iis.se -k ./iis.se.key
;; Number of trusted keys: 1
;; Chasing: iis.se. A
error: Error creating socket
error: No nameservers defined in the resolver
DNSSEC Trust tree:
iis.se. (A)
|---iis.se. (DNSKEY keytag: 54842 alg: 5 flags: 256)
No trusted keys found in tree: first error was: No DNSSEC public key(s)
;; Chase failed.
Btw: if drill -D name -k file does not perform validation, why i get an
error in the end of the reply:
; No keys with the keytag and algorithm from the RRSIG found for id =
18937, owner = iis.se.
e. Can my problem related to this, what i've found in the archives:
http://open.nlnetlabs.nl/pipermail/ldns-users/2009-July/000152.html
I've also found this in the archives, in the same thread:
Jelte uses drill -D name -k file in his reply and for him it checks
signatures:
drill -k Kdnssec.se.+005+12066.key -D SOA dnssec.se @secondary.se
<snip>
; dnssec.se. 300 IN SOA ns.dnssec.se. jakob.kirei.se. 1246322701 3600 600 86400 300
; VALIDATED by id = 12066, owner = dnssec.se.
Sorry for the bad grammar. English is not my native :)
Bye!
W.C.A. Wijngaards írta:
> Hi Pásztor,
>
> a. OK.
> b. the command drill -D name -k file does not perform validation.
> If you are looking for the AD flag, this flag has to be set by
> the recursor (BIND960 for you - enable dnssec for it to get that).
> c. OK.
>
> Is the documentation bad somewhere causing you to believe the -k does
> stuff without -T ?
>
> Best regards,
> Wouter
>
> On 11/11/2009 03:14 PM, Pásztor János wrote:
>> Hi everybody,
>>
>> I think i found a bug in drill. I use BIND 9.6.0-P1 as a caching
>> nameserver, compiled with openssl, and drill version 1.6.1 (ldns version
>> 1.6.1) Here is the problem:
>>
>> a. First i obtain the iis.se KSK:
>>
>> drill -D dnskey iis.se | grep DNSKEY | grep ';{id = 18937' >iis.se.key
>>
>> b. I try to check the www.iis.se signature validation, but it fails:
>>
>> drill -D www.iis.se -k ./iis.se.key
>> and i've got this reply:
>>
>> ;; Number of trusted keys: 1
>> ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 53458
>> ;; flags: qr aa rd ; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 8
>> ;; QUESTION SECTION:
>> ;; www.iis.se. IN A
>>
>> ;; ANSWER SECTION:
>> www.iis.se. 60 IN A 212.247.7.221
>> www.iis.se. 60 IN RRSIG A 5 3 60 20091120152002 20091110152002 54842
>> iis.se.
>> GZH+TQWJXOtRn0Xc5AIIp0YP2xIt7A4MNUOclAVXo2w/KtZyEXddcdQQXmaGUnaEXqZz0Ievn6mrQ1Wd+gp3H+3uhl9CBN871ZnJWS7bTy2h1cobUXmAyzANzoyyaYGvmHmcNjlImyk8akID7S7Sn/xfNon4vOEeW+8LH2wfjVQ=
>>
>> ;{id = 54842}
>>
>> ;; AUTHORITY SECTION:
>> iis.se. 3600 IN NS ns.nic.se.
>> iis.se. 3600 IN NS ns3.nic.se.
>> iis.se. 3600 IN NS ns2.nic.se.
>> iis.se. 3600 IN RRSIG NS 5 2 3600 20091120152002 20091110152002 54842
>> iis.se.
>> UXUCbJRzySiU69pByGw04Zbx52vBZ7zMYgpeHQRZpksLcYEUJyJGS0R6gW0h7YVIXPFPS0Vq8B+ySla2jU8e1imjiOrOtfs3/4XPXdyahJc3mGZpArMQXFzvQfmCz5ql6WNaVpKVESXuHegumvyLTCGUbAAKygEVGE56kKGN4KE=
>>
>> ;{id = 54842}
>>
>> ;; ADDITIONAL SECTION:
>> ns.nic.se. 3600 IN A 212.247.7.228
>> ns.nic.se. 3600 IN AAAA 2a00:801:f0:53::53
>> ns2.nic.se. 3600 IN A 194.17.45.54
>> ns3.nic.se. 60 IN A 212.247.3.83
>> ns.nic.se. 3600 IN RRSIG A 5 3 3600 20091118132001 20091108132001 32957
>> nic.se.
>> IwOHSYjv/p6rwkaFnwSz2IhNUstfw7wcu1yo11hvWXQeGCvM2uKF1txy2ri5yAthvfFmr2qcBsHJStaDvI94UDqpsWsw8gpeDSHWzpIBgmqa9R+3UVkxCRhqA2Gnl+f7ABG/b/wM3FAJdZ5OK5myvQnpbSGVSdEvx2/CnpS7zb4=
>>
>> ;{id = 32957}
>> ns.nic.se. 3600 IN RRSIG AAAA 5 3 3600 20091118132001 20091108132001
>> 32957 nic.se.
>> BNLr7xenkuA1HDCaBYUO9SOGY8Cc4wvVmanQuXTTbFqb9VVmSBi+1hJffcJFLHzqV+Wovqy+fQtdzV6K/dp0qHY22yAbjvPb2/LSGkqoQDLGwnUqFW5eKO/mr+Kj9rnqRHDozwAefbOmaSGJ20B1zcQWpW8pNsY2UwNiJCSd2lE=
>>
>> ;{id = 32957}
>> ns2.nic.se. 3600 IN RRSIG A 5 3 3600 20091118132001 20091108132001 32957
>> nic.se.
>> 1TBBPX0+gZJItwsJ9G4/ul9+9vGGk3QynY7gmTzDLYs/d8i8kPOp7SQCN/JZNIJ4E2U4H1orlDKVWR9WPky4AXuxHMTkxphoYJGeTsFVpmk9iepuPgJpqK1v3rX3wVo4zYkk9x3GNi6OCRxG96t4zcTLV6rVIOGyvm+bhKgpLBI=
>>
>> ;{id = 32957}
>> ns3.nic.se. 60 IN RRSIG A 5 3 60 20091118132001 20091108132001 32957
>> nic.se.
>> mzm4/IV0wxHHeIn8bagLpmwEOSBwfhtrB/u0oDNqHiCq/gzgxa2ykK3UrjBWl2FFrxgEon0Ss+EZrzpV7M2waTk4Cr52UlYMo0mFjo3RK2IH2Kc8nD5uXWhQRxAgSAuxyKIA5lPL5aIbKH6rgJJ+xB0RdZdFvYKWUdkWWp3fTcs=
>>
>> ;{id = 32957}
>>
>> ;; Query time: 43 msec
>> ;; EDNS: version 0; flags: do ; udp: 4096
>> ;; SERVER: 212.247.7.228
>> ;; WHEN: Wed Nov 11 15:05:39 2009
>> ;; MSG SIZE rcvd: 1184
>> ; www.iis.se. 60 IN A 212.247.7.221
>> ; No keys with the keytag and algorithm from the RRSIG found for id =
>> 18937, owner = iis.se.
>>
>> c. But if I do a trace, drill can succesfully validate the signatures
>>
>> drill -DT www.iis.se -k ./iis.se.key
>>
>> and the reply:
>>
>> ;; Number of trusted keys: 1
>> ;; Domain: .
>> ;; No DNSKEY record found for .
>> ;; No DS for se.;; No ds record for delegation
>> ;; Domain: se.
>> ;; Signature ok but no chain to a trusted key or ds record
>> [S] se. 3600 IN DNSKEY 257 3 5 ;{id = 8779 (ksk), size = 2048b}
>> se. 3600 IN DNSKEY 256 3 5 ;{id = 65091 (zsk), size = 1024b}
>> se. 3600 IN DNSKEY 256 3 5 ;{id = 12075 (zsk), size = 1024b}
>> se. 3600 IN DNSKEY 256 3 5 ;{id = 13173 (zsk), size = 1024b}
>> se. 3600 IN DNSKEY 257 3 5 ;{id = 49678 (ksk), size = 2048b}
>> Checking if signing key is trusted:
>> New key: se. 3600 IN DNSKEY 256 3 5
>> AwEAAceEVIj1a3+UxXB1w3IBpSJo74ptpZMN81NNTOOf7Of9AU38N6e/U1zzta8kvhOgXD+k4gnv85cEicBZhYv1NkKYcEXAMwtA2Gi8qbUlfJ4x3eu1s9hdVCxRXLoARJ3ZSldz8t4Bzg0daXHbswcMdcKHLDhtVAN5i/X7lrJrrH+h
>>
>> ;{id = 13173 (zsk), size = 1024b}
>> Trusted key: iis.se. 3479 IN DNSKEY 257 3 5
>> AwEAAcq5u+qe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs+LNVHF61lcxe504jhPmjeQ656X6t+dHpRz1DdPO/ukcIITjIRoJHqS+XXyL6gUluZoDU+K6vpxkGJx5m5n4boRTKCTUAR/9rw2+IQRRTtb6nBwsC3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMwQ4H9iKE9FhqPeIpzU9dnXGtJ+ZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioqqxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R+mrJYi0vE8jbXvhZ12151DywuSxbGjAlxk=
>>
>> ;{id = 18937 (ksk), size = 2048b}
>> [S] iis.se. 3600 IN DS 18937 5 2
>> b5c422428dea4137fbf15e1049a48d27fa5eade64d2ec9f3b58a994a6abde543
>> iis.se. 3600 IN DS 18937 5 1 10dd1efdc7841abfdf630c8bb37153724d70830a
>> ;; Domain: iis.se.
>> [T] iis.se. 3600 IN DNSKEY 257 3 5 ;{id = 18937 (ksk), size = 2048b}
>> iis.se. 3600 IN DNSKEY 256 3 5 ;{id = 54842 (zsk), size = 1024b}
>> [T] Existence denied: www.iis.se. DS
>> ;; No ds record for delegation
>> ;; Domain: www.iis.se.
>> ;; No DNSKEY record found for www.iis.se.
>> [T] www.iis.se. 60 IN A 212.247.7.221
>> ;;[S] self sig OK; [B] bogus; [T] trusted
>>
>> Is this a bug in drill, or i did something wrong ?
>>
>> Thanks !
>>
>> _______________________________________________
>> ldns-users mailing list
>> ldns-users at open.nlnetlabs.nl
>> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users
>
> _______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users
More information about the ldns-users
mailing list