[ldns-users] drill and signature chase

Emil Natan shlyoko at gmail.com
Tue Mar 14 14:41:48 UTC 2017


Hello,

I have domain testdom5.isoc-il.net deliberately signed with signatures end
time in the past.

"drill dnskey testdom5.isoc-il.net" as expected fails with SERVFAIL

Chasing the signature for that record though succeeds.
It says "|---DNSSEC signature has expired" on the way, but I was expecting
the result to be Chase Failed and non zero exit code.

Do you consider that a bug or is that the expected behavior? Thanks.

drill -S dnskey  testdom5.isoc-il.net
;; Number of trusted keys: 1
;; Chasing: testdom5.isoc-il.net. DNSKEY


DNSSEC Trust tree:
testdom5.isoc-il.net. (DNSKEY)
|---DNSSEC signature has expired:
testdom5.isoc-il.net.   86215   IN      RRSIG   DNSKEY 8 3 86400
20170310000000 20170210000000 29401 testdom5.isoc-il.net.
GG2ukpUxPwhOp3Yb0rIRhtQvqsF+pZ/cIFTveHJwIaDx6GP7dxbyQ9bv1p8Ojr/3m/tuJgfVq2RwA2+ndDXQxfqnsvi5Nigw6u/LVwqDFVgstxyGDHdJPuriqJjn6IYQIsaSkW52ib9M3Rrd5MptimORTlN6lLAPOgWDDHU6180/VJhwrq8e2MXQeWLier7tdtuolXw7mxRlChpRkV7XWHHbm5KFyS6rGlQooKElhLy/TBRRgK793jTpRN/hYFj3BjgiF9VguMuwkISPNSmuBl0dzghiUFD1QHnALocNC5IxI19QSpdP0ny0rIkNJ/RzKIMHyOlTqnjNzu/qpeJ+rw==
For RRset:
testdom5.isoc-il.net.   86215   IN      DNSKEY  256 3 8
AwEAAaUDJHIJaCsatG03KN1urponSDCPJ/AA1ONXGm1NOMzTodDrKCfzm3sFLSh0tQB1v314WoxOA3A+xJtYjRAhU9NGn7ruPrR8EcXYwzYuLpXEMWmWobKCXKHss4QYAnpyma+wn89NBpEV976P8OX265geJdnIulDvRK1SNkE5cPHcraklS6JWzOp4RIhTy7wNUG7peFiVz1Vp7OVAvb25EtXjS2wAFNitSpzBhAPcZ/2uqLDdIfE7ieUkFDrs22nfIa1RVU2DXzN7iWmpGBwnwbFEtTwSzhzWB6U/uMEHuJ2exUlOOLg3BQ6FTy6kfsZzSyGFDs5tuZSS1XO8ugqLK1U=
;{id = 18888 (zsk), size = 2048b}
testdom5.isoc-il.net.   86215   IN      DNSKEY  257 3 8
AwEAAa+orr5ooEvpwgicZngvULwkDA1luUDrGwKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+V0WPkZ074W6DLOGJp9RDIwOCfXhm9aSu2FadG/eqwrVf+CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0XJDWHvYnIYVr8f7Nazb1k2OqWW5X8QtV7FDrW1fn85BYafVY2TXt3fYlcUzdtisv8/o5ce4ctmidTlXFPqNT63yyASKZiZiV6nbdQToMQtjnxvTT12fTv4zoeKz0W8KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4uoyI5AeUF9fIllM9LPEQvG035/y0zkwJPZgs9DU183Sdve6P2s=
;{id = 29401 (ksk), size = 2048b}
With key:
testdom5.isoc-il.net.   86215   IN      DNSKEY  257 3 8
AwEAAa+orr5ooEvpwgicZngvULwkDA1luUDrGwKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+V0WPkZ074W6DLOGJp9RDIwOCfXhm9aSu2FadG/eqwrVf+CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0XJDWHvYnIYVr8f7Nazb1k2OqWW5X8QtV7FDrW1fn85BYafVY2TXt3fYlcUzdtisv8/o5ce4ctmidTlXFPqNT63yyASKZiZiV6nbdQToMQtjnxvTT12fTv4zoeKz0W8KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4uoyI5AeUF9fIllM9LPEQvG035/y0zkwJPZgs9DU183Sdve6P2s=
;{id = 29401 (ksk), size = 2048b}
|---testdom5.isoc-il.net. (DNSKEY keytag: 29401 alg: 8 flags: 257)
|---testdom5.isoc-il.net. (DS keytag: 29401 digest type: 2)
    |---isoc-il.net. (DNSKEY keytag: 36456 alg: 8 flags: 256)
        |---isoc-il.net. (DNSKEY keytag: 33769 alg: 8 flags: 257)
        |---isoc-il.net. (DS keytag: 33769 digest type: 2)
            |---net. (DNSKEY keytag: 16757 alg: 8 flags: 256)
                |---net. (DNSKEY keytag: 35886 alg: 8 flags: 257)
                |---net. (DS keytag: 35886 digest type: 2)
                    |---. (DNSKEY keytag: 61045 alg: 8 flags: 256)
                        |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
;; Chase successful

Emil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/ldns-users/attachments/20170314/af21481f/attachment.htm>


More information about the ldns-users mailing list