[ldns-users] validating nsec responses with drill

Kal Feher kal at securenic.net
Thu May 22 12:52:38 UTC 2014 

ack. meant to send this to the list.

I’m using:
drill version 1.6.16 (ldns version 1.6.16), which is the latest package for my distro (Gentoo). I’ll compile the latest version from source and see what happens.



On 22 May 2014, at 10:33 pm, Willem Toorop <willem at nlnetlabs.nl> wrote:

> Hi Kal,
> 
> Which version of drill do you use.  My drill 1.6.17 gives trusted
> existence denied for 0.us:
> 
> $ drill -a -4 -d us -k uskey -TD 0.us
> ;; Number of trusted keys: 4
> ;; Domain: us.
> [T] us. 518400 IN DNSKEY 257 3 5 ;{id = 55408 (ksk), size = 2048b}
> us. 518400 IN DNSKEY 256 3 5 ;{id = 14358 (zsk), size = 1024b}
> us. 518400 IN DNSKEY 257 3 5 ;{id = 44323 (ksk), size = 2048b}
> us. 518400 IN DNSKEY 256 3 5 ;{id = 28350 (zsk), size = 1024b}
> [T] Existence denied: 0.us. DS
> ;; No ds record for delegation
> ;; Domain: 0.us.
> ;; No DNSKEY record found for 0.us.
> [T] Existence denied: 0.us. A
> ;;[S] self sig OK; [B] bogus; [T] trusted
> 
> 
> op 22-05-14 14:09, Kal Feher schreef:
>> Hello list,
>> I’ve been trying to get to the bottom of some odd behaviour with drill.
>> The behaviour I’m seeing appears to be limited to verifying nsec responses. When issuing the following query:
>> drill -a -4 -V 5 -d us -k uskey -TD 0.us
>> I receive the following response (trimmed for clarity):
>> 
>> ;; AUTHORITY SECTION:
>> us.     900     IN      SOA     a.cctld.us. hostmaster.neustar.biz. 2011722984 900 900 604800 86400
>> us.     900     IN      RRSIG   SOA 5 1 900 20140621111356 20140522101356 28350 US. C44LuFw7+/QekEvR
>> US.     86400   IN      NSEC    0-.us. NS SOA RRSIG NSEC DNSKEY TYPE65534 
>> us.     86400   IN      RRSIG   NSEC 5 1 86400 20140617202559 20140518200713 28350 US. SjkrioUZ4T
>> 
>> ;; Existence of data set with this name denied by NSEC
>> NSEC(3) Records to verify:
>> US.     86400   IN      NSEC    0-.us. NS SOA RRSIG NSEC DNSKEY TYPE65534 
>> With signatures:
>> correct keys:
>> us.     518400  IN      DNSKEY  257 3 5 AwEAAcPLfBcYsSxr3IQFL;{id = 44323 (ksk), size = 2048b}
>> us.     518400  IN      DNSKEY  257 3 5 AwEAAatM9tlDcd8gpSq+ ;{id = 55408 (ksk), size = 2048b}
>> us.     518400  IN      DNSKEY  256 3 5 AwEAAZxMuH84tkVwYuP;{id = 14358 (zsk), size = 1024b}
>> us.     518400  IN      DNSKEY  256 3 5 AwEAAZ6LjDKPJisyM73 ;{id = 28350 (zsk), size = 1024b}
>> [B] Error verifying denial of existence for 0.us. type A: No DNSSEC signature(s)
>> ;;[S] self sig OK; [B] bogus; [T] trusted
>> 
>> 
>> Yet when I query for another non existent label: 
>> drill -a -4 -V 5 -d us -k uskey -TD 0-000.us
>> I have succes:
>> 
>> ;; AUTHORITY SECTION:
>> us.     900     IN      SOA     a.cctld.us. hostmaster.neustar.biz. 2011722996 900 900 604800 86400
>> us.     900     IN      RRSIG   SOA 5 1 900 20140621111552 20140522101552 28350 US. CKhVuRK1BsCBZw8ydZ45CiEz7
>> US.     86400   IN      NSEC    0-.us. NS SOA RRSIG NSEC DNSKEY TYPE65534 
>> us.     86400   IN      RRSIG   NSEC 5 1 86400 20140617202559 20140518200713 28350 US. SjkrioUZ4TauR5c7OGhGXy
>> 0-00.US.        86400   IN      NSEC    0-0000AKLUJVHZ.us. NS RRSIG NSEC 
>> 0-00.US.        86400   IN      RRSIG   NSEC 5 2 86400 20140613022320 20140514021623 28350 US. Q2ixTZVctcc2pD0WgMtL7
>> 
>> NSEC(3) Records to verify:
>> 0-00.US.        86400   IN      NSEC    0-0000AKLUJVHZ.us. NS RRSIG NSEC 
>> With signatures:
>> 0-00.US.        86400   IN      RRSIG   NSEC 5 2 86400 20140613022320 20140514021623 28350 US. Q2ixTZVctcc2pD0WgMtL7
>> correct keys:
>> us.     518400  IN      DNSKEY  257 3 5 AwEAAcPLfBcYsSxr3IQFLeJraBpgwzHqd ;{id = 44323 (ksk), size = 2048b}
>> us.     518400  IN      DNSKEY  256 3 5 AwEAAZxMuH84tkVwYuPk7+QDPQuq9 ;{id = 14358 (zsk), size = 1024b}
>> us.     518400  IN      DNSKEY  256 3 5 AwEAAZ6LjDKPJisyM730QN6miz2cQCW ;{id = 28350 (zsk), size = 1024b}
>> us.     518400  IN      DNSKEY  257 3 5 AwEAAatM9tlDcd8gpSq+Wlksu;{id = 55408 (ksk), size = 2048b}
>> [T] Existence denied: 0-000.us. A
>> ;;[S] self sig OK; [B] bogus; [T] trusted
>> 
>> The signatures look fine, but for some reason they do not appear in the output for my first test above. This results in an error (RR count less than 1). Is it the case of the label (upper for NSEC, lower for its RRSIG) that is causing the issue for drill? I’ve flicked through the code going backwards from the error message but only got as far as ldns_verify() before my poor c skills failed me.
>> Am I missing an obvious DNSSEC error that I can’t see?
>> 
>> Kal 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> ldns-users mailing list
>> ldns-users at open.nlnetlabs.nl
>> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users
>> 
> 
> _______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users

More information about the ldns-users mailing list