[ldns-users] drill validation issue
Klaus Darilion
klaus.mailinglists at pernau.at
Mon Jun 23 09:22:03 UTC 2014
I forgot to mention that I use drill 1.6.17
darilion at dnsmaster:~$ dpkg -l|grep ldns
ii ldnsutils 1.6.17-1
amd64 ldns library for DNS programming
ii libldns1 1.6.17-1
amd64 ldns library for DNS programming
darilion at dnsmaster:~$ drill -v
drill version 1.6.17 (ldns version 1.6.17)
Written by NLnet Labs.
Copyright (c) 2004-2008 NLnet Labs.
Licensed under the revised BSD license.
There is NO warranty; not even for MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE.
On 23.06.2014 11:19, Klaus Darilion wrote:
> Hi!
>
> I periodically validate some signed domains with drill. Once in a while
> the validation fails and the reported problem is always in the root
> zone. I coudln't find any problems there and I guess if the problem is
> really in the root zone it would cause some noise.
>
> Thus I think that drill is buggy which checking the signatures. See the
> example attached.
>
> 1. The TTL of the RRSIG is different to the TTL of the DNSKEY. Thus I
> suspect that drill mixes responses from several resolvers and checks the
> RRSIG of one response against the records from another responses.
>
> 2. drill shows 2 DNSKEY RRs of the root zone. But there are 3 (2 ZSK + 1
> KSK).
>
> regards
> Klaus
>
>
>
>
>
>
More information about the ldns-users
mailing list