[ldns-users] Question about drill -T
Matthijs Mekking
matthijs at NLnetLabs.nl
Thu Aug 5 14:47:31 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Jan,
Well actually, the documentation does say that the file given with -k
should contain a DNSKEY :).
But, I agree that with drill should be able to work with DS records in
the trust anchor file. I have committed your change to the trunk.
Best regards,
Matthijs
On 08/02/2010 10:52 PM, Jan Komissar (jkomissa) wrote:
> Hi,
>
> I have ldns 1.6.5 and was trying to use* drill* to follow the trust
> chain from root to org. and I got (slightly reformatted):
>
> (my root-anchors.txt only has the root DS key from data.iana.org)
>
> $ drill -k anchors/root-anchors.txt -TD org. NS
>
> ;; Number of trusted keys: 1
>
> ;; Domain: .
>
> *****;; Signature ok but no chain to a trusted key or ds record*
>
> [S] . 86400 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b}
>
> . 86400 IN DNSKEY 256 3 8 ;{id = 41248 (zsk), size = 1024b}
>
> Checking if signing key is trusted:
>
> New key: . 86400 IN DNSKEY 256 3 8 AwEAAb1gcDhBlH/9MlgUxS0i
>
> k2dwY/JiBIpV+EhKZV7LccxN
>
> c6Qlj467QjHQ3Fgm2i2LE9w6
>
> LqPFDSng5qVq1OYFyTBt3DQp
>
> pqDnAPriTwW5qIQNDNFv34yo
>
> 63sAdBeU4G9tv7dzT5sPyAgm
>
> Vh5HDCe+6XM2+Iel1+kUKCel
>
> 8Icy19hR
> ;{id
> = 41248
>
> (zsk),
> size
> = 1024b}
>
> Trusted key: . 3600 IN DS 19036 8 2 49aac11d7b6f6
>
> 446702e54a1607371607a1a4
>
> 1855200fd2ce1cdde32f24e8
>
> fb5
> ; xidep-pybec-tyvak-
>
> zonag-kesud-vohip-cumul-
>
> fysuk-bivac-pubam-hugeb-
>
> buzud-symes-tylaf-dosog-
>
> vufor-huxax
>
> [S] org. 172800 IN DS 21366 7 1 e6c1716cfb6bdc84e84ce1ab5510dac69173b5b2
>
> org. 172800 IN DS 21366 7 2 96eeb2ffd9b00cd4694e78278b5efdab0a80446567b6
>
> 9f634da078f0d90f01ba
>
> ;; Domain: org.
>
> ;; Signature ok but no chain to a trusted key or ds record
>
> [S] org. 900 IN DNSKEY 256 3 7 ;{id = 61970 (zsk), size = 1024b}
>
> org. 900 IN DNSKEY 256 3 7 ;{id = 52197 (zsk), size = 1024b}
>
> org. 900 IN DNSKEY 257 3 7 ;{id = 21366 (ksk), size = 2048b}
>
> org. 900 IN DNSKEY 257 3 7 ;{id = 9795 (ksk), size = 2048b}
>
> [S] org. 86400 IN NS a0.org.afilias-nst.info.
>
> org. 86400 IN NS a2.org.afilias-nst.info.
>
> org. 86400 IN NS b0.org.afilias-nst.org.
>
> org. 86400 IN NS b2.org.afilias-nst.org.
>
> org. 86400 IN NS c0.org.afilias-nst.info.
>
> org. 86400 IN NS d0.org.afilias-nst.org.
>
> ;;[S] self sig OK; [B] bogus; [T] trusted
>
> And I noticed that it couldn’t chain to a trusted key. So I took a look
> at the code in drill/securetrace.c:do_secure_trace(), and found that it
> doesn’t insert the trusted keys from the command line into the list of
> trusted DS RRs before it tries to verify the root. So I added the
> following code:
>
> /* Add all preset trusted DS signatures to the list of trusted DS R_Rs._ */
>
> *****for* (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
>
> ldns_rr* one_rr = ldns_rr_list_rr(trusted_keys, j);
>
> ***** if* (ldns_rr_get_type(one_rr) ==///// LDNS_RR_TYPE_DS/) {
>
> ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(one_rr));
>
> }
>
> }
>
> after the trusted_ds_rrs list has been initialized. Now I get the
> following results:
>
> $ drill -k anchors/root-anchors.txt -TD org. NS
>
> ;; Number of trusted keys: 1
>
> ;; Domain: .
>
> [T] . 86400 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b}
>
> . 86400 IN DNSKEY 256 3 8 ;{id = 41248 (zsk), size = 1024b}
>
> Checking if signing key is trusted:
>
> New key: . 86400 IN DNSKEY 256 3 8 AwEAAb1gcDhBlH/9MlgUxS0i
>
> k2dwY/JiBIpV+EhKZV7LccxN
>
> c6Qlj467QjHQ3Fgm2i2LE9w6
>
> LqPFDSng5qVq1OYFyTBt3DQp
>
> pqDnAPriTwW5qIQNDNFv34yo
>
> 63sAdBeU4G9tv7dzT5sPyAgm
>
> Vh5HDCe+6XM2+Iel1+kUKCel
>
> 8Icy19hR
> ;{id
> = 41248
>
> (zsk),
> size
> = 1024b}
>
> Trusted key: . 3600 IN DS 19036 8 2 49aac11d7b6f6
>
> 446702e54a1607371607a1a4
>
> 1855200fd2ce1cdde32f24e8
>
> fb5
> ; xidep-pybec-tyvak-
>
> zonag-kesud-vohip-cumul-
>
> fysuk-bivac-pubam-hugeb-
>
> buzud-symes-tylaf-dosog-
>
> vufor-huxax
>
> Trusted key: . 86400 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC
>
> 6Ia7gEzahOR+9W29euxhJhVV
>
> LOyQbSEW0O8gcCjFFVQUTf6v
>
> 58fLjwBd0YI0EzrAcQqBGCzh
>
> /RStIoO8g0NfnfL2MTJRkxoX
>
> bfDaUeVPQuYEhg37NZWAJQ9V
>
> nMVDxP/VHL496M/QZxkjf5/E
>
> fucp2gaDX6RS6CXpoY68LsvP
>
> VjR0ZSwzz1apAzvN9dlzEheX
>
> 7ICJBBtuA6G3LQpzW5hOA2hz
>
> CTMjJPJ8LbqF6dsV6DoBQzgu
>
> l0sGIcGOYl7OyQdXfZ57relS
>
> Qageu+ipAdTTJ25AsRTAoub8
>
> ONGcLmqrAmRLKBP1dfwhYB4N
>
> 7knNnulqQxA+Uk1ihz0=
>
>
> ;{id
> = 19036
> (ksk),
> size
>
> =
> 2048b}
>
> Trusted key: . 86400 IN DNSKEY 256 3 8 AwEAAb1gcDhBlH/9
>
> MlgUxS0ik2dwY/JiBIpV+EhK
>
> ZV7LccxNc6Qlj467QjHQ3Fgm
>
> 2i2LE9w6LqPFDSng5qVq1OYF
>
> yTBt3DQppqDnAPriTwW5qIQN
>
> DNFv34yo63sAdBeU4G9tv7dz
>
> T5sPyAgmVh5HDCe+6XM2+Iel
>
> 1+kUKCel8Icy19hR
> ;{id
> =
>
> 41248
> (zsk),
> size
> = 1024b}
>
> *****Key is now trusted!*
>
> [T] org. 172800 IN DS 21366 7 2 96eeb2ffd9b00cd4694e78278b5efdab0a804465
>
> 67b69f634da078f0d90f01ba
>
> org. 172800 IN DS 21366 7 1 e6c1716cfb6bdc84e84ce1ab5510dac69173b5b2
>
> ;; Domain: org.
>
> [T] org. 900 IN DNSKEY 256 3 7 ;{id = 61970 (zsk), size = 1024b}
>
> org. 900 IN DNSKEY 256 3 7 ;{id = 52197 (zsk), size = 1024b}
>
> org. 900 IN DNSKEY 257 3 7 ;{id = 21366 (ksk), size = 2048b}
>
> org. 900 IN DNSKEY 257 3 7 ;{id = 9795 (ksk), size = 2048b}
>
> [T] org. 86400 IN NS b0.org.afilias-nst.org.
>
> org. 86400 IN NS a0.org.afilias-nst.info.
>
> org. 86400 IN NS a2.org.afilias-nst.info.
>
> org. 86400 IN NS b2.org.afilias-nst.org.
>
> org. 86400 IN NS d0.org.afilias-nst.org.
>
> org. 86400 IN NS c0.org.afilias-nst.info.
>
> ;;[S] self sig OK; [B] bogus; [T] trusted
>
> where the data is trusted all the way. Now, my question is if this is
> the correct way to solve this problem. Another way of solving this is to
> put the root DNSKEY in the root-anchors.txt file, although in the
> unbound “Howto enable DNSSEC” article
> (_http://unbound.net/documentation/howto_anchor.html_), it shows only DS
> records in the anchor files. And I think drill should be able to work
> with only DS records in the trust anchors.
>
> Any comments?
>
> Thanks,
>
> Jan.
>
>
>
> _______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJMWs8CAAoJEA8yVCPsQCW5LmcH/i6+y2e5ltwukrznCPCN4pr1
Q/rW8AqPGEV9BergKolqhcpqlJZNtGX4t2FasbdxuMhRc/jYx9DAz7H8z294B6py
9lPJVfgetSKMnqW/v3oiZq5mNbF5Fkf6JZGuaPS3jJPvvBTe2QZqEqebHwYj4vj0
s8yivzSL7kMK3pOChVfardKMCVgdPE9KAsN0TDtDf7cqPFdN2vosp1G0JVFqlCJg
7jjga4nXa1R6iDnm5gKuMVCK0nZbPAKxY1+5X46DfWHActospM1IgpgWlMmE5cH8
qZzBHAqkb4HeMZ+b4BwGkNTKCGxi+XbC7g2rUqy2uyOBrHeN/SR5KFdw37SKtyg=
=hUgD
-----END PGP SIGNATURE-----
More information about the ldns-users
mailing list