[ldns-users] drill validation issue
Willem Toorop
willem at nlnetlabs.nl
Mon Jun 23 11:41:24 UTC 2014
Thanks Klaus,
I'll see if I can reproduce (and capture the exact circumstances (packet
capture etc.)). Does it also happen tracing instead of chasing?
Regards,
-- Willem
op 23-06-14 11:22, Klaus Darilion schreef:
> I forgot to mention that I use drill 1.6.17
>
>
>
> darilion at dnsmaster:~$ dpkg -l|grep ldns
> ii ldnsutils 1.6.17-1
> amd64 ldns library for DNS programming
> ii libldns1 1.6.17-1
> amd64 ldns library for DNS programming
> darilion at dnsmaster:~$ drill -v
> drill version 1.6.17 (ldns version 1.6.17)
> Written by NLnet Labs.
>
> Copyright (c) 2004-2008 NLnet Labs.
> Licensed under the revised BSD license.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS
> FOR A PARTICULAR PURPOSE.
>
>
> On 23.06.2014 11:19, Klaus Darilion wrote:
>> Hi!
>>
>> I periodically validate some signed domains with drill. Once in a while
>> the validation fails and the reported problem is always in the root
>> zone. I coudln't find any problems there and I guess if the problem is
>> really in the root zone it would cause some noise.
>>
>> Thus I think that drill is buggy which checking the signatures. See the
>> example attached.
>>
>> 1. The TTL of the RRSIG is different to the TTL of the DNSKEY. Thus I
>> suspect that drill mixes responses from several resolvers and checks the
>> RRSIG of one response against the records from another responses.
>>
>> 2. drill shows 2 DNSKEY RRs of the root zone. But there are 3 (2 ZSK + 1
>> KSK).
>>
>> regards
>> Klaus
>>
>>
>>
>>
>>
>>
> _______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users
>
More information about the ldns-users
mailing list