[ldns-users] Question about drill -T
Jan Komissar (jkomissa)
jkomissa at cisco.com
Thu Aug 5 15:57:24 UTC 2010
Hi Matthijs,
It turns out that "drill -h" and "man drill" have slightly different
documentation of "-k":
drill -h
=========
-k <file> specify a file that contains a trusted DNSSEC key [**] used to
verify any signatures in the current answer
man drill
==========
-k keyfile Use this file to read a (trusted) key from. When this options
is given drill tries to validate the current answer with this key. No
chasing is done. When drill is doing a secure trace, this key will be
used as trust anchor.
That's what happens when there are two sources of data....
All the best,
Jan.
-----Original Message-----
From: Matthijs Mekking [mailto:matthijs at NLnetLabs.nl]
Sent: Thursday, August 05, 2010 10:48 AM
To: Jan Komissar (jkomissa)
Cc: ldns-users at open.nlnetlabs.nl
Subject: Re: [ldns-users] Question about drill -T
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Jan,
Well actually, the documentation does say that the file given with -k
should contain a DNSKEY :).
But, I agree that with drill should be able to work with DS records in
the trust anchor file. I have committed your change to the trunk.
Best regards,
Matthijs
On 08/02/2010 10:52 PM, Jan Komissar (jkomissa) wrote:
> Hi,
>
> I have ldns 1.6.5 and was trying to use* drill* to follow the trust
> chain from root to org. and I got (slightly reformatted):
>
> (my root-anchors.txt only has the root DS key from data.iana.org)
>
> $ drill -k anchors/root-anchors.txt -TD org. NS
>
> ;; Number of trusted keys: 1
>
> ;; Domain: .
>
> *****;; Signature ok but no chain to a trusted key or ds record*
>
> [S] . 86400 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b}
>
> . 86400 IN DNSKEY 256 3 8 ;{id = 41248 (zsk), size = 1024b}
>
> Checking if signing key is trusted:
>
> New key: . 86400 IN DNSKEY 256 3 8
AwEAAb1gcDhBlH/9MlgUxS0i
>
>
k2dwY/JiBIpV+EhKZV7LccxN
>
>
c6Qlj467QjHQ3Fgm2i2LE9w6
>
>
LqPFDSng5qVq1OYFyTBt3DQp
>
>
pqDnAPriTwW5qIQNDNFv34yo
>
>
63sAdBeU4G9tv7dzT5sPyAgm
>
>
Vh5HDCe+6XM2+Iel1+kUKCel
>
>
8Icy19hR
>
;{id
>
= 41248
>
>
(zsk),
>
size
>
= 1024b}
>
> Trusted key: . 3600 IN DS 19036 8 2
49aac11d7b6f6
>
>
446702e54a1607371607a1a4
>
>
1855200fd2ce1cdde32f24e8
>
>
fb5
>
; xidep-pybec-tyvak-
>
>
zonag-kesud-vohip-cumul-
>
>
fysuk-bivac-pubam-hugeb-
>
>
buzud-symes-tylaf-dosog-
>
>
vufor-huxax
>
> [S] org. 172800 IN DS 21366 7 1
e6c1716cfb6bdc84e84ce1ab5510dac69173b5b2
>
> org. 172800 IN DS 21366 7 2
96eeb2ffd9b00cd4694e78278b5efdab0a80446567b6
>
> 9f634da078f0d90f01ba
>
> ;; Domain: org.
>
> ;; Signature ok but no chain to a trusted key or ds record
>
> [S] org. 900 IN DNSKEY 256 3 7 ;{id = 61970 (zsk), size = 1024b}
>
> org. 900 IN DNSKEY 256 3 7 ;{id = 52197 (zsk), size = 1024b}
>
> org. 900 IN DNSKEY 257 3 7 ;{id = 21366 (ksk), size = 2048b}
>
> org. 900 IN DNSKEY 257 3 7 ;{id = 9795 (ksk), size = 2048b}
>
> [S] org. 86400 IN NS a0.org.afilias-nst.info.
>
> org. 86400 IN NS a2.org.afilias-nst.info.
>
> org. 86400 IN NS b0.org.afilias-nst.org.
>
> org. 86400 IN NS b2.org.afilias-nst.org.
>
> org. 86400 IN NS c0.org.afilias-nst.info.
>
> org. 86400 IN NS d0.org.afilias-nst.org.
>
> ;;[S] self sig OK; [B] bogus; [T] trusted
>
> And I noticed that it couldn't chain to a trusted key. So I took a
look
> at the code in drill/securetrace.c:do_secure_trace(), and found that
it
> doesn't insert the trusted keys from the command line into the list of
> trusted DS RRs before it tries to verify the root. So I added the
> following code:
>
> /* Add all preset trusted DS signatures to the list of trusted DS
R_Rs._ */
>
> *****for* (j = 0; j < ldns_rr_list_rr_count(trusted_keys); j++) {
>
> ldns_rr* one_rr = ldns_rr_list_rr(trusted_keys, j);
>
> ***** if* (ldns_rr_get_type(one_rr) ==///// LDNS_RR_TYPE_DS/) {
>
> ldns_rr_list_push_rr(trusted_ds_rrs, ldns_rr_clone(one_rr));
>
> }
>
> }
>
> after the trusted_ds_rrs list has been initialized. Now I get the
> following results:
>
> $ drill -k anchors/root-anchors.txt -TD org. NS
>
> ;; Number of trusted keys: 1
>
> ;; Domain: .
>
> [T] . 86400 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b}
>
> . 86400 IN DNSKEY 256 3 8 ;{id = 41248 (zsk), size = 1024b}
>
> Checking if signing key is trusted:
>
> New key: . 86400 IN DNSKEY 256 3 8
AwEAAb1gcDhBlH/9MlgUxS0i
>
>
k2dwY/JiBIpV+EhKZV7LccxN
>
>
c6Qlj467QjHQ3Fgm2i2LE9w6
>
>
LqPFDSng5qVq1OYFyTBt3DQp
>
>
pqDnAPriTwW5qIQNDNFv34yo
>
>
63sAdBeU4G9tv7dzT5sPyAgm
>
>
Vh5HDCe+6XM2+Iel1+kUKCel
>
>
8Icy19hR
>
;{id
>
= 41248
>
>
(zsk),
>
size
>
= 1024b}
>
> Trusted key: . 3600 IN DS 19036 8 2
49aac11d7b6f6
>
>
446702e54a1607371607a1a4
>
>
1855200fd2ce1cdde32f24e8
>
>
fb5
>
; xidep-pybec-tyvak-
>
>
zonag-kesud-vohip-cumul-
>
>
fysuk-bivac-pubam-hugeb-
>
>
buzud-symes-tylaf-dosog-
>
>
vufor-huxax
>
> Trusted key: . 86400 IN DNSKEY 257 3 8
AwEAAagAIKlVZrpC
>
>
6Ia7gEzahOR+9W29euxhJhVV
>
>
LOyQbSEW0O8gcCjFFVQUTf6v
>
>
58fLjwBd0YI0EzrAcQqBGCzh
>
>
/RStIoO8g0NfnfL2MTJRkxoX
>
>
bfDaUeVPQuYEhg37NZWAJQ9V
>
>
nMVDxP/VHL496M/QZxkjf5/E
>
>
fucp2gaDX6RS6CXpoY68LsvP
>
>
VjR0ZSwzz1apAzvN9dlzEheX
>
>
7ICJBBtuA6G3LQpzW5hOA2hz
>
>
CTMjJPJ8LbqF6dsV6DoBQzgu
>
>
l0sGIcGOYl7OyQdXfZ57relS
>
>
Qageu+ipAdTTJ25AsRTAoub8
>
>
ONGcLmqrAmRLKBP1dfwhYB4N
>
>
7knNnulqQxA+Uk1ihz0=
>
>
>
;{id
>
= 19036
>
(ksk),
>
size
>
>
=
>
2048b}
>
> Trusted key: . 86400 IN DNSKEY 256 3 8
AwEAAb1gcDhBlH/9
>
>
MlgUxS0ik2dwY/JiBIpV+EhK
>
>
ZV7LccxNc6Qlj467QjHQ3Fgm
>
>
2i2LE9w6LqPFDSng5qVq1OYF
>
>
yTBt3DQppqDnAPriTwW5qIQN
>
>
DNFv34yo63sAdBeU4G9tv7dz
>
>
T5sPyAgmVh5HDCe+6XM2+Iel
>
>
1+kUKCel8Icy19hR
>
;{id
>
=
>
>
41248
>
(zsk),
>
size
>
= 1024b}
>
> *****Key is now trusted!*
>
> [T] org. 172800 IN DS 21366 7 2
96eeb2ffd9b00cd4694e78278b5efdab0a804465
>
>
67b69f634da078f0d90f01ba
>
> org. 172800 IN DS 21366 7 1 e6c1716cfb6bdc84e84ce1ab5510dac69173b5b2
>
> ;; Domain: org.
>
> [T] org. 900 IN DNSKEY 256 3 7 ;{id = 61970 (zsk), size = 1024b}
>
> org. 900 IN DNSKEY 256 3 7 ;{id = 52197 (zsk), size = 1024b}
>
> org. 900 IN DNSKEY 257 3 7 ;{id = 21366 (ksk), size = 2048b}
>
> org. 900 IN DNSKEY 257 3 7 ;{id = 9795 (ksk), size = 2048b}
>
> [T] org. 86400 IN NS b0.org.afilias-nst.org.
>
> org. 86400 IN NS a0.org.afilias-nst.info.
>
> org. 86400 IN NS a2.org.afilias-nst.info.
>
> org. 86400 IN NS b2.org.afilias-nst.org.
>
> org. 86400 IN NS d0.org.afilias-nst.org.
>
> org. 86400 IN NS c0.org.afilias-nst.info.
>
> ;;[S] self sig OK; [B] bogus; [T] trusted
>
> where the data is trusted all the way. Now, my question is if this is
> the correct way to solve this problem. Another way of solving this is
to
> put the root DNSKEY in the root-anchors.txt file, although in the
> unbound "Howto enable DNSSEC" article
> (_http://unbound.net/documentation/howto_anchor.html_), it shows only
DS
> records in the anchor files. And I think drill should be able to work
> with only DS records in the trust anchors.
>
> Any comments?
>
> Thanks,
>
> Jan.
>
>
>
> _______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJMWs8CAAoJEA8yVCPsQCW5LmcH/i6+y2e5ltwukrznCPCN4pr1
Q/rW8AqPGEV9BergKolqhcpqlJZNtGX4t2FasbdxuMhRc/jYx9DAz7H8z294B6py
9lPJVfgetSKMnqW/v3oiZq5mNbF5Fkf6JZGuaPS3jJPvvBTe2QZqEqebHwYj4vj0
s8yivzSL7kMK3pOChVfardKMCVgdPE9KAsN0TDtDf7cqPFdN2vosp1G0JVFqlCJg
7jjga4nXa1R6iDnm5gKuMVCK0nZbPAKxY1+5X46DfWHActospM1IgpgWlMmE5cH8
qZzBHAqkb4HeMZ+b4BwGkNTKCGxi+XbC7g2rUqy2uyOBrHeN/SR5KFdw37SKtyg=
=hUgD
-----END PGP SIGNATURE-----
More information about the ldns-users
mailing list