[ldns-users] Question about drill -T

Jan Komissar (jkomissa) jkomissa at cisco.com
Mon Aug 2 20:52:52 UTC 2010 

Hi,

I have ldns 1.6.5 and was trying to use drill to follow the trust chain
from root to org. and I got (slightly reformatted):
(my root-anchors.txt only has the root DS key from data.iana.org)

$ drill -k anchors/root-anchors.txt -TD org. NS
;; Number of trusted keys: 1
;; Domain: .
;; Signature ok but no chain to a trusted key or ds record
[S] . 86400 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b}
. 86400 IN DNSKEY 256 3 8 ;{id = 41248 (zsk), size = 1024b}
Checking if signing key is trusted:
New key: .      86400   IN      DNSKEY  256 3 8 AwEAAb1gcDhBlH/9MlgUxS0i
				k2dwY/JiBIpV+EhKZV7LccxN
				c6Qlj467QjHQ3Fgm2i2LE9w6
				LqPFDSng5qVq1OYFyTBt3DQp
				pqDnAPriTwW5qIQNDNFv34yo
				63sAdBeU4G9tv7dzT5sPyAgm
				Vh5HDCe+6XM2+Iel1+kUKCel
				8Icy19hR ;{id = 41248
				(zsk), size = 1024b}
        Trusted key: .  3600    IN      DS      19036 8 2  49aac11d7b6f6
				446702e54a1607371607a1a4
				1855200fd2ce1cdde32f24e8
				fb5 ; xidep-pybec-tyvak-
				zonag-kesud-vohip-cumul-
				fysuk-bivac-pubam-hugeb-
				buzud-symes-tylaf-dosog-
				vufor-huxax
[S] org. 172800 IN DS 21366 7 1 e6c1716cfb6bdc84e84ce1ab5510dac69173b5b2

org. 172800 IN DS 21366 7 2 96eeb2ffd9b00cd4694e78278b5efdab0a80446567b6
				 9f634da078f0d90f01ba 
;; Domain: org.
;; Signature ok but no chain to a trusted key or ds record
[S] org. 900 IN DNSKEY 256 3 7 ;{id = 61970 (zsk), size = 1024b}
org. 900 IN DNSKEY 256 3 7 ;{id = 52197 (zsk), size = 1024b}
org. 900 IN DNSKEY 257 3 7 ;{id = 21366 (ksk), size = 2048b}
org. 900 IN DNSKEY 257 3 7 ;{id = 9795 (ksk), size = 2048b}
[S] org.        86400   IN      NS      a0.org.afilias-nst.info.
org.    86400   IN      NS      a2.org.afilias-nst.info.
org.    86400   IN      NS      b0.org.afilias-nst.org.
org.    86400   IN      NS      b2.org.afilias-nst.org.
org.    86400   IN      NS      c0.org.afilias-nst.info.
org.    86400   IN      NS      d0.org.afilias-nst.org.
;;[S] self sig OK; [B] bogus; [T] trusted

And I noticed that it couldn't chain to a trusted key. So I took a look
at the code in drill/securetrace.c:do_secure_trace(), and found that it
doesn't insert the trusted keys from the command line into the list of
trusted DS RRs before it tries to verify the root. So I added the
following code:

/* Add all preset trusted DS signatures to the list of trusted DS RRs.
*/
for (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
    ldns_rr* one_rr = ldns_rr_list_rr(trusted_keys, j);
    if (ldns_rr_get_type(one_rr)  == LDNS_RR_TYPE_DS) {
        ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(one_rr));
    }
}

after the trusted_ds_rrs  list has been initialized. Now I get the
following results:

$ drill -k anchors/root-anchors.txt -TD org. NS
;; Number of trusted keys: 1
;; Domain: .
[T] . 86400 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b}
. 86400 IN DNSKEY 256 3 8 ;{id = 41248 (zsk), size = 1024b}
Checking if signing key is trusted:
New key: .      86400   IN      DNSKEY  256 3 8 AwEAAb1gcDhBlH/9MlgUxS0i
				k2dwY/JiBIpV+EhKZV7LccxN
				c6Qlj467QjHQ3Fgm2i2LE9w6
				LqPFDSng5qVq1OYFyTBt3DQp
				pqDnAPriTwW5qIQNDNFv34yo
				63sAdBeU4G9tv7dzT5sPyAgm
				Vh5HDCe+6XM2+Iel1+kUKCel
				8Icy19hR ;{id = 41248
				(zsk), size = 1024b}
        Trusted key: .  3600    IN      DS      19036 8 2  49aac11d7b6f6
				446702e54a1607371607a1a4
				1855200fd2ce1cdde32f24e8
				fb5 ; xidep-pybec-tyvak-
				zonag-kesud-vohip-cumul-
				fysuk-bivac-pubam-hugeb-
				buzud-symes-tylaf-dosog-
				vufor-huxax
        Trusted key: .  86400   IN      DNSKEY  257 3 8 AwEAAagAIKlVZrpC
				6Ia7gEzahOR+9W29euxhJhVV
				LOyQbSEW0O8gcCjFFVQUTf6v
				58fLjwBd0YI0EzrAcQqBGCzh
				/RStIoO8g0NfnfL2MTJRkxoX
				bfDaUeVPQuYEhg37NZWAJQ9V
				nMVDxP/VHL496M/QZxkjf5/E
				fucp2gaDX6RS6CXpoY68LsvP
				VjR0ZSwzz1apAzvN9dlzEheX
				7ICJBBtuA6G3LQpzW5hOA2hz
				CTMjJPJ8LbqF6dsV6DoBQzgu
				l0sGIcGOYl7OyQdXfZ57relS
				Qageu+ipAdTTJ25AsRTAoub8
				ONGcLmqrAmRLKBP1dfwhYB4N
				7knNnulqQxA+Uk1ihz0= 
				;{id = 19036 (ksk), size
				 = 2048b}
        Trusted key: .  86400   IN      DNSKEY  256 3 8 AwEAAb1gcDhBlH/9
				MlgUxS0ik2dwY/JiBIpV+EhK
				ZV7LccxNc6Qlj467QjHQ3Fgm
				2i2LE9w6LqPFDSng5qVq1OYF
				yTBt3DQppqDnAPriTwW5qIQN
				DNFv34yo63sAdBeU4G9tv7dz
				T5sPyAgmVh5HDCe+6XM2+Iel
				1+kUKCel8Icy19hR ;{id = 
				41248 (zsk), size = 1024b}
Key is now trusted!
[T] org. 172800 IN DS 21366 7 2 96eeb2ffd9b00cd4694e78278b5efdab0a804465
				  67b69f634da078f0d90f01ba 
org. 172800 IN DS 21366 7 1 e6c1716cfb6bdc84e84ce1ab5510dac69173b5b2 
;; Domain: org.
[T] org. 900 IN DNSKEY 256 3 7 ;{id = 61970 (zsk), size = 1024b}
org. 900 IN DNSKEY 256 3 7 ;{id = 52197 (zsk), size = 1024b}
org. 900 IN DNSKEY 257 3 7 ;{id = 21366 (ksk), size = 2048b}
org. 900 IN DNSKEY 257 3 7 ;{id = 9795 (ksk), size = 2048b}
[T] org.        86400   IN      NS      b0.org.afilias-nst.org.
org.    86400   IN      NS      a0.org.afilias-nst.info.
org.    86400   IN      NS      a2.org.afilias-nst.info.
org.    86400   IN      NS      b2.org.afilias-nst.org.
org.    86400   IN      NS      d0.org.afilias-nst.org.
org.    86400   IN      NS      c0.org.afilias-nst.info.
;;[S] self sig OK; [B] bogus; [T] trusted

where the data is trusted all the way. Now, my question is if this is
the correct way to solve this problem. Another way of solving this is to
put the root DNSKEY in the root-anchors.txt file, although in the
unbound "Howto enable DNSSEC" article
(http://unbound.net/documentation/howto_anchor.html), it shows only DS
records in the anchor files. And I think drill should be able to work
with only DS records in the trust anchors.

Any comments?

Thanks,

Jan.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/ldns-users/attachments/20100802/4c167a02/attachment.htm>

More information about the ldns-users mailing list