From shlyoko at gmail.com Tue Mar 14 14:41:48 2017 From: shlyoko at gmail.com (Emil Natan) Date: Tue, 14 Mar 2017 16:41:48 +0200 Subject: [ldns-users] drill and signature chase Message-ID: Hello, I have domain testdom5.isoc-il.net deliberately signed with signatures end time in the past. "drill dnskey testdom5.isoc-il.net" as expected fails with SERVFAIL Chasing the signature for that record though succeeds. It says "|---DNSSEC signature has expired" on the way, but I was expecting the result to be Chase Failed and non zero exit code. Do you consider that a bug or is that the expected behavior? Thanks. drill -S dnskey testdom5.isoc-il.net ;; Number of trusted keys: 1 ;; Chasing: testdom5.isoc-il.net. DNSKEY DNSSEC Trust tree: testdom5.isoc-il.net. (DNSKEY) |---DNSSEC signature has expired: testdom5.isoc-il.net. 86215 IN RRSIG DNSKEY 8 3 86400 20170310000000 20170210000000 29401 testdom5.isoc-il.net. GG2ukpUxPwhOp3Yb0rIRhtQvqsF+pZ/cIFTveHJwIaDx6GP7dxbyQ9bv1p8Ojr/3m/tuJgfVq2RwA2+ndDXQxfqnsvi5Nigw6u/LVwqDFVgstxyGDHdJPuriqJjn6IYQIsaSkW52ib9M3Rrd5MptimORTlN6lLAPOgWDDHU6180/VJhwrq8e2MXQeWLier7tdtuolXw7mxRlChpRkV7XWHHbm5KFyS6rGlQooKElhLy/TBRRgK793jTpRN/hYFj3BjgiF9VguMuwkISPNSmuBl0dzghiUFD1QHnALocNC5IxI19QSpdP0ny0rIkNJ/RzKIMHyOlTqnjNzu/qpeJ+rw== For RRset: testdom5.isoc-il.net. 86215 IN DNSKEY 256 3 8 AwEAAaUDJHIJaCsatG03KN1urponSDCPJ/AA1ONXGm1NOMzTodDrKCfzm3sFLSh0tQB1v314WoxOA3A+xJtYjRAhU9NGn7ruPrR8EcXYwzYuLpXEMWmWobKCXKHss4QYAnpyma+wn89NBpEV976P8OX265geJdnIulDvRK1SNkE5cPHcraklS6JWzOp4RIhTy7wNUG7peFiVz1Vp7OVAvb25EtXjS2wAFNitSpzBhAPcZ/2uqLDdIfE7ieUkFDrs22nfIa1RVU2DXzN7iWmpGBwnwbFEtTwSzhzWB6U/uMEHuJ2exUlOOLg3BQ6FTy6kfsZzSyGFDs5tuZSS1XO8ugqLK1U= ;{id = 18888 (zsk), size = 2048b} testdom5.isoc-il.net. 86215 IN DNSKEY 257 3 8 AwEAAa+orr5ooEvpwgicZngvULwkDA1luUDrGwKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+V0WPkZ074W6DLOGJp9RDIwOCfXhm9aSu2FadG/eqwrVf+CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0XJDWHvYnIYVr8f7Nazb1k2OqWW5X8QtV7FDrW1fn85BYafVY2TXt3fYlcUzdtisv8/o5ce4ctmidTlXFPqNT63yyASKZiZiV6nbdQToMQtjnxvTT12fTv4zoeKz0W8KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4uoyI5AeUF9fIllM9LPEQvG035/y0zkwJPZgs9DU183Sdve6P2s= ;{id = 29401 (ksk), size = 2048b} With key: testdom5.isoc-il.net. 86215 IN DNSKEY 257 3 8 AwEAAa+orr5ooEvpwgicZngvULwkDA1luUDrGwKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+V0WPkZ074W6DLOGJp9RDIwOCfXhm9aSu2FadG/eqwrVf+CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0XJDWHvYnIYVr8f7Nazb1k2OqWW5X8QtV7FDrW1fn85BYafVY2TXt3fYlcUzdtisv8/o5ce4ctmidTlXFPqNT63yyASKZiZiV6nbdQToMQtjnxvTT12fTv4zoeKz0W8KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4uoyI5AeUF9fIllM9LPEQvG035/y0zkwJPZgs9DU183Sdve6P2s= ;{id = 29401 (ksk), size = 2048b} |---testdom5.isoc-il.net. (DNSKEY keytag: 29401 alg: 8 flags: 257) |---testdom5.isoc-il.net. (DS keytag: 29401 digest type: 2) |---isoc-il.net. (DNSKEY keytag: 36456 alg: 8 flags: 256) |---isoc-il.net. (DNSKEY keytag: 33769 alg: 8 flags: 257) |---isoc-il.net. (DS keytag: 33769 digest type: 2) |---net. (DNSKEY keytag: 16757 alg: 8 flags: 256) |---net. (DNSKEY keytag: 35886 alg: 8 flags: 257) |---net. (DS keytag: 35886 digest type: 2) |---. (DNSKEY keytag: 61045 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Emil -------------- next part -------------- An HTML attachment was scrubbed... URL: From willem at nlnetlabs.nl Tue Mar 14 15:04:08 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Tue, 14 Mar 2017 16:04:08 +0100 Subject: [ldns-users] drill and signature chase In-Reply-To: References: Message-ID: Op 14-03-17 om 15:41 schreef Emil Natan: > Hello, > > I have domain testdom5.isoc-il.net > deliberately signed with signatures end time in the past. > > "drill dnskey testdom5.isoc-il.net " as > expected fails with SERVFAIL > > Chasing the signature for that record though succeeds. > It says "|---DNSSEC signature has expired" on the way, but I was > expecting the result to be Chase Failed and non zero exit code. > > Do you consider that a bug or is that the expected behavior? Thanks. Hello Emil, Neither yet. How would you (or the list) consider this behaviour? Should chasing perform the chase and then exit non zero when there was a bogus RR on the path, like tracing does? -- Willem > > drill -S dnskey testdom5.isoc-il.net > ;; Number of trusted keys: 1 > ;; Chasing: testdom5.isoc-il.net . DNSKEY > > > DNSSEC Trust tree: > testdom5.isoc-il.net . (DNSKEY) > |---DNSSEC signature has expired: > testdom5.isoc-il.net . 86215 IN > RRSIG DNSKEY 8 3 86400 20170310000000 20170210000000 29401 > testdom5.isoc-il.net . > GG2ukpUxPwhOp3Yb0rIRhtQvqsF+pZ/cIFTveHJwIaDx6GP7dxbyQ9bv1p8Ojr/3m/tuJgfVq2RwA2+ndDXQxfqnsvi5Nigw6u/LVwqDFVgstxyGDHdJPuriqJjn6IYQIsaSkW52ib9M3Rrd5MptimORTlN6lLAPOgWDDHU6180/VJhwrq8e2MXQeWLier7tdtuolXw7mxRlChpRkV7XWHHbm5KFyS6rGlQooKElhLy/TBRRgK793jTpRN/hYFj3BjgiF9VguMuwkISPNSmuBl0dzghiUFD1QHnALocNC5IxI19QSpdP0ny0rIkNJ/RzKIMHyOlTqnjNzu/qpeJ+rw== > For RRset: > testdom5.isoc-il.net . 86215 IN > DNSKEY 256 3 8 > AwEAAaUDJHIJaCsatG03KN1urponSDCPJ/AA1ONXGm1NOMzTodDrKCfzm3sFLSh0tQB1v314WoxOA3A+xJtYjRAhU9NGn7ruPrR8EcXYwzYuLpXEMWmWobKCXKHss4QYAnpyma+wn89NBpEV976P8OX265geJdnIulDvRK1SNkE5cPHcraklS6JWzOp4RIhTy7wNUG7peFiVz1Vp7OVAvb25EtXjS2wAFNitSpzBhAPcZ/2uqLDdIfE7ieUkFDrs22nfIa1RVU2DXzN7iWmpGBwnwbFEtTwSzhzWB6U/uMEHuJ2exUlOOLg3BQ6FTy6kfsZzSyGFDs5tuZSS1XO8ugqLK1U= > ;{id = 18888 (zsk), size = 2048b} > testdom5.isoc-il.net . 86215 IN > DNSKEY 257 3 8 > AwEAAa+orr5ooEvpwgicZngvULwkDA1luUDrGwKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+V0WPkZ074W6DLOGJp9RDIwOCfXhm9aSu2FadG/eqwrVf+CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0XJDWHvYnIYVr8f7Nazb1k2OqWW5X8QtV7FDrW1fn85BYafVY2TXt3fYlcUzdtisv8/o5ce4ctmidTlXFPqNT63yyASKZiZiV6nbdQToMQtjnxvTT12fTv4zoeKz0W8KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4uoyI5AeUF9fIllM9LPEQvG035/y0zkwJPZgs9DU183Sdve6P2s= > ;{id = 29401 (ksk), size = 2048b} > With key: > testdom5.isoc-il.net . 86215 IN > DNSKEY 257 3 8 > AwEAAa+orr5ooEvpwgicZngvULwkDA1luUDrGwKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+V0WPkZ074W6DLOGJp9RDIwOCfXhm9aSu2FadG/eqwrVf+CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0XJDWHvYnIYVr8f7Nazb1k2OqWW5X8QtV7FDrW1fn85BYafVY2TXt3fYlcUzdtisv8/o5ce4ctmidTlXFPqNT63yyASKZiZiV6nbdQToMQtjnxvTT12fTv4zoeKz0W8KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4uoyI5AeUF9fIllM9LPEQvG035/y0zkwJPZgs9DU183Sdve6P2s= > ;{id = 29401 (ksk), size = 2048b} > |---testdom5.isoc-il.net . (DNSKEY keytag: > 29401 alg: 8 flags: 257) > |---testdom5.isoc-il.net . (DS keytag: > 29401 digest type: 2) > |---isoc-il.net . (DNSKEY keytag: 36456 alg: 8 > flags: 256) > |---isoc-il.net . (DNSKEY keytag: 33769 alg: > 8 flags: 257) > |---isoc-il.net . (DS keytag: 33769 digest > type: 2) > |---net. (DNSKEY keytag: 16757 alg: 8 flags: 256) > |---net. (DNSKEY keytag: 35886 alg: 8 flags: 257) > |---net. (DS keytag: 35886 digest type: 2) > |---. (DNSKEY keytag: 61045 alg: 8 flags: 256) > |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) > ;; Chase successful > > Emil > > > _______________________________________________ > ldns-users mailing list > ldns-users at nlnetlabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/ldns-users > From shlyoko at gmail.com Tue Mar 14 17:04:20 2017 From: shlyoko at gmail.com (Emil Natan) Date: Tue, 14 Mar 2017 19:04:20 +0200 Subject: [ldns-users] drill and signature chase In-Reply-To: References: Message-ID: Hello Willem, In my opinion this one should end up with non zero status. And why should signature chasing behavior differ from simple query which fails signature validation? Maybe I'm misunderstanding the purpose of the chase functionality. Thanks, Emil On Tue, Mar 14, 2017 at 5:04 PM, Willem Toorop wrote: > Op 14-03-17 om 15:41 schreef Emil Natan: > > Hello, > > > > I have domain testdom5.isoc-il.net > > deliberately signed with signatures end time in the past. > > > > "drill dnskey testdom5.isoc-il.net " as > > expected fails with SERVFAIL > > > > Chasing the signature for that record though succeeds. > > It says "|---DNSSEC signature has expired" on the way, but I was > > expecting the result to be Chase Failed and non zero exit code. > > > > Do you consider that a bug or is that the expected behavior? Thanks. > > Hello Emil, > > Neither yet. How would you (or the list) consider this behaviour? > Should chasing perform the chase and then exit non zero when there was a > bogus RR on the path, like tracing does? > > -- Willem > > > > > drill -S dnskey testdom5.isoc-il.net > > ;; Number of trusted keys: 1 > > ;; Chasing: testdom5.isoc-il.net . DNSKEY > > > > > > DNSSEC Trust tree: > > testdom5.isoc-il.net . (DNSKEY) > > |---DNSSEC signature has expired: > > testdom5.isoc-il.net . 86215 IN > > RRSIG DNSKEY 8 3 86400 20170310000000 20170210000000 29401 > > testdom5.isoc-il.net . > > GG2ukpUxPwhOp3Yb0rIRhtQvqsF+pZ/cIFTveHJwIaDx6GP7dxbyQ9bv1p8Oj > r/3m/tuJgfVq2RwA2+ndDXQxfqnsvi5Nigw6u/LVwqDFVgstxyGDHdJPuriqJjn6IYQI > saSkW52ib9M3Rrd5MptimORTlN6lLAPOgWDDHU6180/VJhwrq8e2MXQeWLier7tdtuolXw7mx > RlChpRkV7XWHHbm5KFyS6rGlQooKElhLy/TBRRgK793jTpRN/ > hYFj3BjgiF9VguMuwkISPNSmuBl0dzghiUFD1QHnALocNC5IxI19QSpdP0ny > 0rIkNJ/RzKIMHyOlTqnjNzu/qpeJ+rw== > > For RRset: > > testdom5.isoc-il.net . 86215 IN > > DNSKEY 256 3 8 > > AwEAAaUDJHIJaCsatG03KN1urponSDCPJ/AA1ONXGm1NOMzTodDrKCfzm3sFLSh0 > tQB1v314WoxOA3A+xJtYjRAhU9NGn7ruPrR8EcXYwzYuLpXEMWmWobKCXKHss4QYAnpyma+ > wn89NBpEV976P8OX265geJdnIulDvRK1SNkE5cPHcraklS6JWzOp4RIhTy7w > NUG7peFiVz1Vp7OVAvb25EtXjS2wAFNitSpzBhAPcZ/2uqLDdIfE7ieUkFDrs22nfIa1RVU2D > XzN7iWmpGBwnwbFEtTwSzhzWB6U/uMEHuJ2exUlOOLg3BQ6FTy6kfsZzSy > GFDs5tuZSS1XO8ugqLK1U= > > ;{id = 18888 (zsk), size = 2048b} > > testdom5.isoc-il.net . 86215 IN > > DNSKEY 257 3 8 > > AwEAAa+orr5ooEvpwgicZngvULwkDA1luUDrGwKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+ > V0WPkZ074W6DLOGJp9RDIwOCfXhm9aSu2FadG/eqwrVf+ > CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0XJDWHvYnIYVr8f7Nazb1k2OqWW5X8Q > tV7FDrW1fn85BYafVY2TXt3fYlcUzdtisv8/o5ce4ctmidTlXFPqNT63yyASKZiZiV > 6nbdQToMQtjnxvTT12fTv4zoeKz0W8KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4 > uoyI5AeUF9fIllM9LPEQvG035/y0zkwJPZgs9DU183Sdve6P2s= > > ;{id = 29401 (ksk), size = 2048b} > > With key: > > testdom5.isoc-il.net . 86215 IN > > DNSKEY 257 3 8 > > AwEAAa+orr5ooEvpwgicZngvULwkDA1luUDrGwKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+ > V0WPkZ074W6DLOGJp9RDIwOCfXhm9aSu2FadG/eqwrVf+ > CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0XJDWHvYnIYVr8f7Nazb1k2OqWW5X8Q > tV7FDrW1fn85BYafVY2TXt3fYlcUzdtisv8/o5ce4ctmidTlXFPqNT63yyASKZiZiV > 6nbdQToMQtjnxvTT12fTv4zoeKz0W8KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4 > uoyI5AeUF9fIllM9LPEQvG035/y0zkwJPZgs9DU183Sdve6P2s= > > ;{id = 29401 (ksk), size = 2048b} > > |---testdom5.isoc-il.net . (DNSKEY keytag: > > 29401 alg: 8 flags: 257) > > |---testdom5.isoc-il.net . (DS keytag: > > 29401 digest type: 2) > > |---isoc-il.net . (DNSKEY keytag: 36456 alg: 8 > > flags: 256) > > |---isoc-il.net . (DNSKEY keytag: 33769 alg: > > 8 flags: 257) > > |---isoc-il.net . (DS keytag: 33769 digest > > type: 2) > > |---net. (DNSKEY keytag: 16757 alg: 8 flags: 256) > > |---net. (DNSKEY keytag: 35886 alg: 8 flags: 257) > > |---net. (DS keytag: 35886 digest type: 2) > > |---. (DNSKEY keytag: 61045 alg: 8 flags: 256) > > |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) > > ;; Chase successful > > > > Emil > > > > > > _______________________________________________ > > ldns-users mailing list > > ldns-users at nlnetlabs.nl > > https://open.nlnetlabs.nl/mailman/listinfo/ldns-users > > > > _______________________________________________ > ldns-users mailing list > ldns-users at nlnetlabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/ldns-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From willem at nlnetlabs.nl Thu Mar 16 14:19:58 2017 From: willem at nlnetlabs.nl (Willem Toorop) Date: Thu, 16 Mar 2017 15:19:58 +0100 Subject: [ldns-users] drill and signature chase In-Reply-To: References: Message-ID: <5a530f5d-926f-6a29-b85f-72e418dc864e@nlnetlabs.nl> Hi Emil, When looking further in your issue, I noticed that chasing actually does set a non-zero exit status when there is an error in the validation path... except when the tree constructed from the chase is for a DNSKEY (or DS). So, short term solution for you would be to query for a SOA. I'll see if I can fix this for key queries too.. Regards, -- Willem Op 14-03-17 om 18:04 schreef Emil Natan: > Hello Willem, > > In my opinion this one should end up with non zero status. And why > should signature chasing behavior differ from simple query which fails > signature validation? Maybe I'm misunderstanding the purpose of the > chase functionality. > Thanks, > > Emil > > On Tue, Mar 14, 2017 at 5:04 PM, Willem Toorop > wrote: > > Op 14-03-17 om 15:41 schreef Emil Natan: > > Hello, > > > > I have domain testdom5.isoc-il.net > > > deliberately signed with signatures end time in the past. > > > > "drill dnskey testdom5.isoc-il.net > " as > > expected fails with SERVFAIL > > > > Chasing the signature for that record though succeeds. > > It says "|---DNSSEC signature has expired" on the way, but I was > > expecting the result to be Chase Failed and non zero exit code. > > > > Do you consider that a bug or is that the expected behavior? Thanks. > > Hello Emil, > > Neither yet. How would you (or the list) consider this behaviour? > Should chasing perform the chase and then exit non zero when there was a > bogus RR on the path, like tracing does? > > -- Willem > > > > > drill -S dnskey testdom5.isoc-il.net > > > ;; Number of trusted keys: 1 > > ;; Chasing: testdom5.isoc-il.net > . DNSKEY > > > > > > DNSSEC Trust tree: > > testdom5.isoc-il.net > . (DNSKEY) > > |---DNSSEC signature has expired: > > testdom5.isoc-il.net > . 86215 IN > > RRSIG DNSKEY 8 3 86400 20170310000000 20170210000000 29401 > > testdom5.isoc-il.net > . > > > GG2ukpUxPwhOp3Yb0rIRhtQvqsF+pZ/cIFTveHJwIaDx6GP7dxbyQ9bv1p8Ojr/3m/tuJgfVq2RwA2+ndDXQxfqnsvi5Nigw6u/LVwqDFVgstxyGDHdJPuriqJjn6IYQIsaSkW52ib9M3Rrd5MptimORTlN6lLAPOgWDDHU6180/VJhwrq8e2MXQeWLier7tdtuolXw7mxRlChpRkV7XWHHbm5KFyS6rGlQooKElhLy/TBRRgK793jTpRN/hYFj3BjgiF9VguMuwkISPNSmuBl0dzghiUFD1QHnALocNC5IxI19QSpdP0ny0rIkNJ/RzKIMHyOlTqnjNzu/qpeJ+rw== > > For RRset: > > testdom5.isoc-il.net > . 86215 IN > > DNSKEY 256 3 8 > > AwEAAaUDJHIJaCsatG03KN1urponSDCPJ/AA1ONXGm1NOMzTodDrKCfzm3sFLSh0tQB1v314WoxOA3A+xJtYjRAhU9NGn7ruPrR8EcXYwzYuLpXEMWmWobKCXKHss4QYAnpyma+wn89NBpEV976P8OX265geJdnIulDvRK1SNkE5cPHcraklS6JWzOp4RIhTy7wNUG7peFiVz1Vp7OVAvb25EtXjS2wAFNitSpzBhAPcZ/2uqLDdIfE7ieUkFDrs22nfIa1RVU2DXzN7iWmpGBwnwbFEtTwSzhzWB6U/uMEHuJ2exUlOOLg3BQ6FTy6kfsZzSyGFDs5tuZSS1XO8ugqLK1U= > > ;{id = 18888 (zsk), size = 2048b} > > testdom5.isoc-il.net > . 86215 IN > > DNSKEY 257 3 8 > > AwEAAa+orr5ooEvpwgicZngvULwkDA1luUDrGwKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+V0WPkZ074W6DLOGJp9RDIwOCfXhm9aSu2FadG/eqwrVf+CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0XJDWHvYnIYVr8f7Nazb1k2OqWW5X8QtV7FDrW1fn85BYafVY2TXt3fYlcUzdtisv8/o5ce4ctmidTlXFPqNT63yyASKZiZiV6nbdQToMQtjnxvTT12fTv4zoeKz0W8KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4uoyI5AeUF9fIllM9LPEQvG035/y0zkwJPZgs9DU183Sdve6P2s= > > ;{id = 29401 (ksk), size = 2048b} > > With key: > > testdom5.isoc-il.net > . 86215 IN > > DNSKEY 257 3 8 > > AwEAAa+orr5ooEvpwgicZngvULwkDA1luUDrGwKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+V0WPkZ074W6DLOGJp9RDIwOCfXhm9aSu2FadG/eqwrVf+CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0XJDWHvYnIYVr8f7Nazb1k2OqWW5X8QtV7FDrW1fn85BYafVY2TXt3fYlcUzdtisv8/o5ce4ctmidTlXFPqNT63yyASKZiZiV6nbdQToMQtjnxvTT12fTv4zoeKz0W8KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4uoyI5AeUF9fIllM9LPEQvG035/y0zkwJPZgs9DU183Sdve6P2s= > > ;{id = 29401 (ksk), size = 2048b} > > |---testdom5.isoc-il.net > . (DNSKEY keytag: > > 29401 alg: 8 flags: 257) > > |---testdom5.isoc-il.net > . (DS keytag: > > 29401 digest type: 2) > > |---isoc-il.net . > (DNSKEY keytag: 36456 alg: 8 > > flags: 256) > > |---isoc-il.net . > (DNSKEY keytag: 33769 alg: > > 8 flags: 257) > > |---isoc-il.net . > (DS keytag: 33769 digest > > type: 2) > > |---net. (DNSKEY keytag: 16757 alg: 8 flags: 256) > > |---net. (DNSKEY keytag: 35886 alg: 8 flags: 257) > > |---net. (DS keytag: 35886 digest type: 2) > > |---. (DNSKEY keytag: 61045 alg: 8 flags: 256) > > |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) > > ;; Chase successful > > > > Emil > > > > > > _______________________________________________ > > ldns-users mailing list > > ldns-users at nlnetlabs.nl > > https://open.nlnetlabs.nl/mailman/listinfo/ldns-users > > > > > _______________________________________________ > ldns-users mailing list > ldns-users at nlnetlabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/ldns-users > > > > > > _______________________________________________ > ldns-users mailing list > ldns-users at nlnetlabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/ldns-users > From shlyoko at gmail.com Thu Mar 16 15:02:09 2017 From: shlyoko at gmail.com (Emil Natan) Date: Thu, 16 Mar 2017 17:02:09 +0200 Subject: [ldns-users] drill and signature chase In-Reply-To: <5a530f5d-926f-6a29-b85f-72e418dc864e@nlnetlabs.nl> References: <5a530f5d-926f-6a29-b85f-72e418dc864e@nlnetlabs.nl> Message-ID: Hi Willem, Thank you for your response. Chasing a signature for DNSKEY actually fails in any other case I tested, but expired signature. DS at parent, but not matching DNSKEY at child or missing DNSKEY RRSIG for example make it fail with exit status 29 and "No trusted keys found in tree: first error was: No DNSSEC public key(s) ;; Chase failed." Emil On Thu, Mar 16, 2017 at 4:19 PM, Willem Toorop wrote: > Hi Emil, > > When looking further in your issue, I noticed that chasing actually does > set a non-zero exit status when there is an error in the validation > path... except when the tree constructed from the chase is for a DNSKEY > (or DS). So, short term solution for you would be to query for a SOA. > I'll see if I can fix this for key queries too.. > > Regards, > -- Willem > > Op 14-03-17 om 18:04 schreef Emil Natan: > > Hello Willem, > > > > In my opinion this one should end up with non zero status. And why > > should signature chasing behavior differ from simple query which fails > > signature validation? Maybe I'm misunderstanding the purpose of the > > chase functionality. > > Thanks, > > > > Emil > > > > On Tue, Mar 14, 2017 at 5:04 PM, Willem Toorop > > wrote: > > > > Op 14-03-17 om 15:41 schreef Emil Natan: > > > Hello, > > > > > > I have domain testdom5.isoc-il.net > > > > > deliberately signed with signatures end time in the past. > > > > > > "drill dnskey testdom5.isoc-il.net > > " as > > > expected fails with SERVFAIL > > > > > > Chasing the signature for that record though succeeds. > > > It says "|---DNSSEC signature has expired" on the way, but I was > > > expecting the result to be Chase Failed and non zero exit code. > > > > > > Do you consider that a bug or is that the expected behavior? > Thanks. > > > > Hello Emil, > > > > Neither yet. How would you (or the list) consider this behaviour? > > Should chasing perform the chase and then exit non zero when there > was a > > bogus RR on the path, like tracing does? > > > > -- Willem > > > > > > > > drill -S dnskey testdom5.isoc-il.net > > > > > ;; Number of trusted keys: 1 > > > ;; Chasing: testdom5.isoc-il.net > > . DNSKEY > > > > > > > > > DNSSEC Trust tree: > > > testdom5.isoc-il.net > > . (DNSKEY) > > > |---DNSSEC signature has expired: > > > testdom5.isoc-il.net > > . 86215 IN > > > RRSIG DNSKEY 8 3 86400 20170310000000 20170210000000 29401 > > > testdom5.isoc-il.net > > . > > > > > GG2ukpUxPwhOp3Yb0rIRhtQvqsF+pZ/cIFTveHJwIaDx6GP7dxbyQ9bv1p8Oj > r/3m/tuJgfVq2RwA2+ndDXQxfqnsvi5Nigw6u/LVwqDFVgstxyGDHdJPuriqJjn6IYQI > saSkW52ib9M3Rrd5MptimORTlN6lLAPOgWDDHU6180/VJhwrq8e2MXQeWLier7tdtuolXw7mx > RlChpRkV7XWHHbm5KFyS6rGlQooKElhLy/TBRRgK793jTpRN/ > hYFj3BjgiF9VguMuwkISPNSmuBl0dzghiUFD1QHnALocNC5IxI19QSpdP0ny > 0rIkNJ/RzKIMHyOlTqnjNzu/qpeJ+rw== > > > For RRset: > > > testdom5.isoc-il.net > > . 86215 IN > > > DNSKEY 256 3 8 > > > AwEAAaUDJHIJaCsatG03KN1urponSDCPJ/AA1ONXGm1NOMzTodDrKCfzm3sFLSh0 > tQB1v314WoxOA3A+xJtYjRAhU9NGn7ruPrR8EcXYwzYuLpXEMWmWobKCXKHss4QYAnpyma+ > wn89NBpEV976P8OX265geJdnIulDvRK1SNkE5cPHcraklS6JWzOp4RIhTy7w > NUG7peFiVz1Vp7OVAvb25EtXjS2wAFNitSpzBhAPcZ/2uqLDdIfE7ieUkFDrs22nfIa1RVU2D > XzN7iWmpGBwnwbFEtTwSzhzWB6U/uMEHuJ2exUlOOLg3BQ6FTy6kfsZzSy > GFDs5tuZSS1XO8ugqLK1U= > > > ;{id = 18888 (zsk), size = 2048b} > > > testdom5.isoc-il.net > > . 86215 IN > > > DNSKEY 257 3 8 > > > AwEAAa+orr5ooEvpwgicZngvULwkDA1luUDrGwKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+ > V0WPkZ074W6DLOGJp9RDIwOCfXhm9aSu2FadG/eqwrVf+ > CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0XJDWHvYnIYVr8f7Nazb1k2OqWW5X8Q > tV7FDrW1fn85BYafVY2TXt3fYlcUzdtisv8/o5ce4ctmidTlXFPqNT63yyASKZiZiV > 6nbdQToMQtjnxvTT12fTv4zoeKz0W8KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4 > uoyI5AeUF9fIllM9LPEQvG035/y0zkwJPZgs9DU183Sdve6P2s= > > > ;{id = 29401 (ksk), size = 2048b} > > > With key: > > > testdom5.isoc-il.net > > . 86215 IN > > > DNSKEY 257 3 8 > > > AwEAAa+orr5ooEvpwgicZngvULwkDA1luUDrGwKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+ > V0WPkZ074W6DLOGJp9RDIwOCfXhm9aSu2FadG/eqwrVf+ > CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0XJDWHvYnIYVr8f7Nazb1k2OqWW5X8Q > tV7FDrW1fn85BYafVY2TXt3fYlcUzdtisv8/o5ce4ctmidTlXFPqNT63yyASKZiZiV > 6nbdQToMQtjnxvTT12fTv4zoeKz0W8KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4 > uoyI5AeUF9fIllM9LPEQvG035/y0zkwJPZgs9DU183Sdve6P2s= > > > ;{id = 29401 (ksk), size = 2048b} > > > |---testdom5.isoc-il.net > > . (DNSKEY keytag: > > > 29401 alg: 8 flags: 257) > > > |---testdom5.isoc-il.net > > . (DS keytag: > > > 29401 digest type: 2) > > > |---isoc-il.net . > > (DNSKEY keytag: 36456 alg: 8 > > > flags: 256) > > > |---isoc-il.net . > > (DNSKEY keytag: 33769 alg: > > > 8 flags: 257) > > > |---isoc-il.net . > > (DS keytag: 33769 digest > > > type: 2) > > > |---net. (DNSKEY keytag: 16757 alg: 8 flags: 256) > > > |---net. (DNSKEY keytag: 35886 alg: 8 flags: 257) > > > |---net. (DS keytag: 35886 digest type: 2) > > > |---. (DNSKEY keytag: 61045 alg: 8 flags: 256) > > > |---. (DNSKEY keytag: 19036 alg: 8 flags: > 257) > > > ;; Chase successful > > > > > > Emil > > > > > > > > > _______________________________________________ > > > ldns-users mailing list > > > ldns-users at nlnetlabs.nl > > > https://open.nlnetlabs.nl/mailman/listinfo/ldns-users > > > > > > > > > _______________________________________________ > > ldns-users mailing list > > ldns-users at nlnetlabs.nl > > https://open.nlnetlabs.nl/mailman/listinfo/ldns-users > > > > > > > > > > > > _______________________________________________ > > ldns-users mailing list > > ldns-users at nlnetlabs.nl > > https://open.nlnetlabs.nl/mailman/listinfo/ldns-users > > > > _______________________________________________ > ldns-users mailing list > ldns-users at nlnetlabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/ldns-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sca at andreasschulze.de Thu Mar 23 09:55:46 2017 From: sca at andreasschulze.de (A. Schulze) Date: Thu, 23 Mar 2017 10:55:46 +0100 Subject: [ldns-users] ldns-read-zone and $INCLUDE Message-ID: <20170323105546.Horde.HJvdPVIVwky7l6X4xDbHII0@andreasschulze.de> Hello, looks like $INCLUDE inside a zone is ignored by ldns-read-zone, right? $ cat /path/to/zone: example.org. SOA ns.example.org. me.example.org 1 43200 7200 2419200 3600 example.org. NS ns.example.org. ns.example.org. A 192.0.2.53 $INCLUDE /path/to/include $ cat /path/to/include www.example.org. A 192.0.2.80 # read zone, sort and increment SOA by one $ ldns-read-zone -z -S +1 path/to/zone example.org. 3600 IN SOA ns.example.org. me.example.org. 2 43200 7200 2419200 3600 example.org. 3600 IN NS ns.example.org. ns.example.org. 3600 IN A 192.0.2.53 While NSD handle the include, the included data are lost here. Is that intentional? Thanks for clarification, Andreas From shlyoko at gmail.com Wed Mar 29 15:20:52 2017 From: shlyoko at gmail.com (Emil Natan) Date: Wed, 29 Mar 2017 18:20:52 +0300 Subject: [ldns-users] ldns-verify-zone and double signature Message-ID: Hello, ldns-verify-zone is one of the tools I use to verify freshly signed zonefiles. Since my "signer" machine does not have access to the real world I provide ldns-verify-zone with the signed zonefile and DS record like this: ldns-verify-zone -S -k Ktest.org.+008+57589.ds test.zone.signed When the zonefile is signed with a single ZSK and single KSK there are no complaints. When the zonefile is signed with single ZSK and two KSKs (as during KSK rollover, both KSKs are added to the zone and the DNSKEY RRset is signed by both KSKs), the above command fails with: # ldns-verify-zone -S -k Ktest.org.+008+57589.ds test.zone.signed Error: No keys with the keytag and algorithm from the RRSIG found for test.org. DNSKEY There were errors in the zone Just for testing I tried to provide the DSes for both KSKs and no errors were emitted. # ldns-verify-zone -k Ktest.org.+008+57589.ds -k Ktest.org.+008+34735.ds test.zone.signed Zone is verified and complete That's never real world scenario since there is only single DS in the parent zone during a KSK rollover, first it's the DS generated for the initial key, then it's replaced with the DS for the successor key. The issue is easy to reproduce, generate 3 keys, 1 ZSK and 2 KSK, sign the zone with one ZSK and both KSK, then run ldns-verify-zone with a single DS file. The same happens with and without the "-S" flag. Emil -------------- next part -------------- An HTML attachment was scrubbed... URL: