[ldns-users] drill validation issue

Mon Jun 23 09:19:35 UTC 2014

Hi!

I periodically validate some signed domains with drill. Once in a while
the validation fails and the reported problem is always in the root
zone. I coudln't find any problems there and I guess if the problem is
really in the root zone it would cause some noise.

Thus I think that drill is buggy which checking the signatures. See the
example attached.

1. The TTL of the RRSIG is different to the TTL of the DNSKEY. Thus I
suspect that drill mixes responses from several resolvers and checks the
RRSIG of one response against the records from another responses.

2. drill shows 2 DNSKEY RRs of the root zone. But there are 3 (2 ZSK + 1
KSK).

regards
Klaus

-------------- next part --------------
drill -k /etc/bind/root-dnskey -S www.dev-nsec.rc0-testing.dnssec-signiert.at
;; Number of trusted keys: 1
;; Chasing: www.dev-nsec.rc0-testing.dnssec-signiert.at. A

DNSSEC Trust tree:
www.dev-nsec.rc0-testing.dnssec-signiert.at. (A)
|---dev-nsec.rc0-testing.dnssec-signiert.at. (DNSKEY keytag: 63780 alg: 5 flags: 256)
    |---dev-nsec.rc0-testing.dnssec-signiert.at. (DNSKEY keytag: 55591 alg: 5 flags: 257)
    |---dev-nsec.rc0-testing.dnssec-signiert.at. (DS keytag: 55591 digest type: 2)
        |---rc0-testing.dnssec-signiert.at. (DNSKEY keytag: 9618 alg: 5 flags: 256)
            |---rc0-testing.dnssec-signiert.at. (DNSKEY keytag: 59227 alg: 5 flags: 257)
            |---rc0-testing.dnssec-signiert.at. (DS keytag: 59227 digest type: 2)
                |---dnssec-signiert.at. (DNSKEY keytag: 60710 alg: 7 flags: 256)
                    |---dnssec-signiert.at. (DNSKEY keytag: 39606 alg: 7 flags: 257)
                    |---dnssec-signiert.at. (DS keytag: 39606 digest type: 2)
                        |---at. (DNSKEY keytag: 7906 alg: 8 flags: 256)
                            |---at. (DNSKEY keytag: 60836 alg: 8 flags: 257)
                            |---at. (DS keytag: 56489 digest type: 2)
                            |   |---. (DNSKEY keytag: 40926 alg: 8 flags: 256)
                            |       |---Bogus DNSSEC signature:
.	116937	IN	RRSIG	DNSKEY 8 0 172800 20140705235959 20140620000000 19036 . OWYyUDHJjQxh2KGaNdXqkvnmPj8E5Jafyya42A9oPOBBZ1L16Db7PTa4/pwbuSgteAI3gGP3hPRUAnGLx87c0JK6DUWnbiElMY/eUmZO6j2sq0mLKZKM7CRdOd8erIlFiPUnOwOPOEDolH0RxdJYkV4N0z6cujA/Bfx8i8NSlnIu/yvDPxSwio5CrdSQ2UgDKY3WUVyoGWePySYd2i6kHyd7DqTVkWfkvMqcU1kQbABlDO0GPL9UQym/WAf13qXA/rN49aQyiVsldzyug8EDWhZIbcviBPf2McJnLz6X1hTMD7nT3kVGSbLnBmgyu2QJc10wVv+M4iuUtSWsmo8Byw==
For RRset:
.	46368	IN	DNSKEY	256 3 8 AwEAAZvJd8ORk+jmZ41QMYbQ1XCpf60l6YJuHtnxn0VSh5a5vqwEjTST3/PZ4xhUFu2YcTfRNWxs9WTiGZl3MY/UlBIvzpLhKgKnf9Vk8sEU3q0nmOGFgE6jTi/cU95ATU/2dTQovMDv9XyWvrmj8KIG2brj6mF4S8GTae6G2GwbMF5v ;{id = 40926 (zsk), size = 1024b}
.	46368	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b}
With key:
.	46368	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b}
                            |       |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
                            |---at. (DS keytag: 60836 digest type: 2)
                                |---. (DNSKEY keytag: 40926 alg: 8 flags: 256)
                                    |---Bogus DNSSEC signature:
.	116937	IN	RRSIG	DNSKEY 8 0 172800 20140705235959 20140620000000 19036 . OWYyUDHJjQxh2KGaNdXqkvnmPj8E5Jafyya42A9oPOBBZ1L16Db7PTa4/pwbuSgteAI3gGP3hPRUAnGLx87c0JK6DUWnbiElMY/eUmZO6j2sq0mLKZKM7CRdOd8erIlFiPUnOwOPOEDolH0RxdJYkV4N0z6cujA/Bfx8i8NSlnIu/yvDPxSwio5CrdSQ2UgDKY3WUVyoGWePySYd2i6kHyd7DqTVkWfkvMqcU1kQbABlDO0GPL9UQym/WAf13qXA/rN49aQyiVsldzyug8EDWhZIbcviBPf2McJnLz6X1hTMD7nT3kVGSbLnBmgyu2QJc10wVv+M4iuUtSWsmo8Byw==
For RRset:
.	46368	IN	DNSKEY	256 3 8 AwEAAZvJd8ORk+jmZ41QMYbQ1XCpf60l6YJuHtnxn0VSh5a5vqwEjTST3/PZ4xhUFu2YcTfRNWxs9WTiGZl3MY/UlBIvzpLhKgKnf9Vk8sEU3q0nmOGFgE6jTi/cU95ATU/2dTQovMDv9XyWvrmj8KIG2brj6mF4S8GTae6G2GwbMF5v ;{id = 40926 (zsk), size = 1024b}
.	46368	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b}
With key:
.	46368	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b}
                                    |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
No trusted keys found in tree: first error was: Bogus DNSSEC signature
;; Chase failed.