[ldns-users] drill and signature chase
Willem Toorop
willem at nlnetlabs.nl
Tue Mar 14 15:04:08 UTC 2017
Op 14-03-17 om 15:41 schreef Emil Natan:
> Hello,
>
> I have domain testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> deliberately signed with signatures end time in the past.
>
> "drill dnskey testdom5.isoc-il.net <http://testdom5.isoc-il.net>" as
> expected fails with SERVFAIL
>
> Chasing the signature for that record though succeeds.
> It says "|---DNSSEC signature has expired" on the way, but I was
> expecting the result to be Chase Failed and non zero exit code.
>
> Do you consider that a bug or is that the expected behavior? Thanks.
Hello Emil,
Neither yet. How would you (or the list) consider this behaviour?
Should chasing perform the chase and then exit non zero when there was a
bogus RR on the path, like tracing does?
-- Willem
>
> drill -S dnskey testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> ;; Number of trusted keys: 1
> ;; Chasing: testdom5.isoc-il.net <http://testdom5.isoc-il.net>. DNSKEY
>
>
> DNSSEC Trust tree:
> testdom5.isoc-il.net <http://testdom5.isoc-il.net>. (DNSKEY)
> |---DNSSEC signature has expired:
> testdom5.isoc-il.net <http://testdom5.isoc-il.net>. 86215 IN
> RRSIG DNSKEY 8 3 86400 20170310000000 20170210000000 29401
> testdom5.isoc-il.net <http://testdom5.isoc-il.net>.
> GG2ukpUxPwhOp3Yb0rIRhtQvqsF+pZ/cIFTveHJwIaDx6GP7dxbyQ9bv1p8Ojr/3m/tuJgfVq2RwA2+ndDXQxfqnsvi5Nigw6u/LVwqDFVgstxyGDHdJPuriqJjn6IYQIsaSkW52ib9M3Rrd5MptimORTlN6lLAPOgWDDHU6180/VJhwrq8e2MXQeWLier7tdtuolXw7mxRlChpRkV7XWHHbm5KFyS6rGlQooKElhLy/TBRRgK793jTpRN/hYFj3BjgiF9VguMuwkISPNSmuBl0dzghiUFD1QHnALocNC5IxI19QSpdP0ny0rIkNJ/RzKIMHyOlTqnjNzu/qpeJ+rw==
> For RRset:
> testdom5.isoc-il.net <http://testdom5.isoc-il.net>. 86215 IN
> DNSKEY 256 3 8
> AwEAAaUDJHIJaCsatG03KN1urponSDCPJ/AA1ONXGm1NOMzTodDrKCfzm3sFLSh0tQB1v314WoxOA3A+xJtYjRAhU9NGn7ruPrR8EcXYwzYuLpXEMWmWobKCXKHss4QYAnpyma+wn89NBpEV976P8OX265geJdnIulDvRK1SNkE5cPHcraklS6JWzOp4RIhTy7wNUG7peFiVz1Vp7OVAvb25EtXjS2wAFNitSpzBhAPcZ/2uqLDdIfE7ieUkFDrs22nfIa1RVU2DXzN7iWmpGBwnwbFEtTwSzhzWB6U/uMEHuJ2exUlOOLg3BQ6FTy6kfsZzSyGFDs5tuZSS1XO8ugqLK1U=
> ;{id = 18888 (zsk), size = 2048b}
> testdom5.isoc-il.net <http://testdom5.isoc-il.net>. 86215 IN
> DNSKEY 257 3 8
> AwEAAa+orr5ooEvpwgicZngvULwkDA1luUDrGwKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+V0WPkZ074W6DLOGJp9RDIwOCfXhm9aSu2FadG/eqwrVf+CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0XJDWHvYnIYVr8f7Nazb1k2OqWW5X8QtV7FDrW1fn85BYafVY2TXt3fYlcUzdtisv8/o5ce4ctmidTlXFPqNT63yyASKZiZiV6nbdQToMQtjnxvTT12fTv4zoeKz0W8KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4uoyI5AeUF9fIllM9LPEQvG035/y0zkwJPZgs9DU183Sdve6P2s=
> ;{id = 29401 (ksk), size = 2048b}
> With key:
> testdom5.isoc-il.net <http://testdom5.isoc-il.net>. 86215 IN
> DNSKEY 257 3 8
> AwEAAa+orr5ooEvpwgicZngvULwkDA1luUDrGwKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+V0WPkZ074W6DLOGJp9RDIwOCfXhm9aSu2FadG/eqwrVf+CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0XJDWHvYnIYVr8f7Nazb1k2OqWW5X8QtV7FDrW1fn85BYafVY2TXt3fYlcUzdtisv8/o5ce4ctmidTlXFPqNT63yyASKZiZiV6nbdQToMQtjnxvTT12fTv4zoeKz0W8KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4uoyI5AeUF9fIllM9LPEQvG035/y0zkwJPZgs9DU183Sdve6P2s=
> ;{id = 29401 (ksk), size = 2048b}
> |---testdom5.isoc-il.net <http://testdom5.isoc-il.net>. (DNSKEY keytag:
> 29401 alg: 8 flags: 257)
> |---testdom5.isoc-il.net <http://testdom5.isoc-il.net>. (DS keytag:
> 29401 digest type: 2)
> |---isoc-il.net <http://isoc-il.net>. (DNSKEY keytag: 36456 alg: 8
> flags: 256)
> |---isoc-il.net <http://isoc-il.net>. (DNSKEY keytag: 33769 alg:
> 8 flags: 257)
> |---isoc-il.net <http://isoc-il.net>. (DS keytag: 33769 digest
> type: 2)
> |---net. (DNSKEY keytag: 16757 alg: 8 flags: 256)
> |---net. (DNSKEY keytag: 35886 alg: 8 flags: 257)
> |---net. (DS keytag: 35886 digest type: 2)
> |---. (DNSKEY keytag: 61045 alg: 8 flags: 256)
> |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
> ;; Chase successful
>
> Emil
>
>
> _______________________________________________
> ldns-users mailing list
> ldns-users at nlnetlabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/ldns-users
>
More information about the ldns-users
mailing list