[ldns-users] drill -k <DS> ?

Matthijs Mekking matthijs at NLnetLabs.nl
Mon Mar 7 14:37:10 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Gilles,

On 03/07/2011 02:53 PM, Gilles Massen wrote:
> Hello Matthijs,
> 
>> Wouter stands corrected: the -k *is* implemented in and it *does* accept
>> DS records.
> 
> Glad to hear that :)
> 
>> My guess is that you want to chase the signatures: add -S on the command
>> line.
> 
> Not really. It might be possible, but chasing is too clever for my
> purpose. I don't want to leave the realm of the zone/server to be
> checked...climbing the DNS tree up does not fit.

Sorry, providing DS records in the keyfile only makes sense when chasing
signatures or doing a secure trace. Otherwise, drill tries to validate
the answer with the keys in the keyfile (without chasing). Just like the
manpage says:)

> Actually I want to answer a single question: "can I validate this
> zone/record with the DS I have" (and the DS is for the zone, not for
> anywhere up the tree).
> 
> drill -k <keyfile> with DNSKEY does exactly that, so I'm a bit back to
> square one: if it does indeed accept DS records, what could I be doing
> wrong? Or is the use case ( -k <ds> -D ) not supported ?

Technically, you can't validate the answer with DS records, you'll need
to find the correct DNSKEY RRset. So you need to make a secure trace
between the DS RRs and the DNSKEY RRset.

So:
drill <name> -k <ds> -D is not supported (or at least not like you
expect to).
drill <name> -k <ds> -D [-S|-T] is supported.

Best regards,

Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNdO2WAAoJEA8yVCPsQCW5EaMH+wRh1m208boIn9dwVESA9e00
j0mfUNb/kEyTKerjGFwWUZBhyww3L+dci/KgP00vbD6Bq5GxaDavPw+/8Iiz9qv8
mWaMoafNTA9on9OnS0r0l7WSshr1EGmxnLwkE5j2yVBqopI68sZG5KpAfSrfZHRf
jwnT+iZa0JW1yZgtO3O4Q1GaJWOmD8X3XZmRsVUKmEZiLRv8N+uoihhDX+9EMQ6K
9xkdMI16VtzEhNC5QsWPS1NL57gdr/7QyS36M2pXkArb02mGbrDfS6YZg1r6wuef
TpHqlTeMqgLDDuQF6P/JBG8SgyJ4TFuZ2+ugRatDJ1vU+NSs93YmmIo/TicL2Zs=
=Cx1/
-----END PGP SIGNATURE-----



More information about the ldns-users mailing list