[ldns-users] drill and signature chase

Emil Natan shlyoko at gmail.com
Tue Mar 14 17:04:20 UTC 2017


Hello Willem,

In my opinion this one should end up with non zero status. And why should
signature chasing behavior differ from simple query which fails signature
validation? Maybe I'm misunderstanding the purpose of the chase
functionality.
Thanks,

Emil

On Tue, Mar 14, 2017 at 5:04 PM, Willem Toorop <willem at nlnetlabs.nl> wrote:

> Op 14-03-17 om 15:41 schreef Emil Natan:
> > Hello,
> >
> > I have domain testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> > deliberately signed with signatures end time in the past.
> >
> > "drill dnskey testdom5.isoc-il.net <http://testdom5.isoc-il.net>" as
> > expected fails with SERVFAIL
> >
> > Chasing the signature for that record though succeeds.
> > It says "|---DNSSEC signature has expired" on the way, but I was
> > expecting the result to be Chase Failed and non zero exit code.
> >
> > Do you consider that a bug or is that the expected behavior? Thanks.
>
> Hello Emil,
>
> Neither yet.  How would you (or the list) consider this behaviour?
> Should chasing perform the chase and then exit non zero when there was a
> bogus RR on the path, like tracing does?
>
> -- Willem
>
> >
> > drill -S dnskey  testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> > ;; Number of trusted keys: 1
> > ;; Chasing: testdom5.isoc-il.net <http://testdom5.isoc-il.net>. DNSKEY
> >
> >
> > DNSSEC Trust tree:
> > testdom5.isoc-il.net <http://testdom5.isoc-il.net>. (DNSKEY)
> > |---DNSSEC signature has expired:
> > testdom5.isoc-il.net <http://testdom5.isoc-il.net>.   86215   IN
> >  RRSIG   DNSKEY 8 3 86400 20170310000000 20170210000000 29401
> > testdom5.isoc-il.net <http://testdom5.isoc-il.net>.
> > GG2ukpUxPwhOp3Yb0rIRhtQvqsF+pZ/cIFTveHJwIaDx6GP7dxbyQ9bv1p8Oj
> r/3m/tuJgfVq2RwA2+ndDXQxfqnsvi5Nigw6u/LVwqDFVgstxyGDHdJPuriqJjn6IYQI
> saSkW52ib9M3Rrd5MptimORTlN6lLAPOgWDDHU6180/VJhwrq8e2MXQeWLier7tdtuolXw7mx
> RlChpRkV7XWHHbm5KFyS6rGlQooKElhLy/TBRRgK793jTpRN/
> hYFj3BjgiF9VguMuwkISPNSmuBl0dzghiUFD1QHnALocNC5IxI19QSpdP0ny
> 0rIkNJ/RzKIMHyOlTqnjNzu/qpeJ+rw==
> > For RRset:
> > testdom5.isoc-il.net <http://testdom5.isoc-il.net>.   86215   IN
> >  DNSKEY  256 3 8
> > AwEAAaUDJHIJaCsatG03KN1urponSDCPJ/AA1ONXGm1NOMzTodDrKCfzm3sFLSh0
> tQB1v314WoxOA3A+xJtYjRAhU9NGn7ruPrR8EcXYwzYuLpXEMWmWobKCXKHss4QYAnpyma+
> wn89NBpEV976P8OX265geJdnIulDvRK1SNkE5cPHcraklS6JWzOp4RIhTy7w
> NUG7peFiVz1Vp7OVAvb25EtXjS2wAFNitSpzBhAPcZ/2uqLDdIfE7ieUkFDrs22nfIa1RVU2D
> XzN7iWmpGBwnwbFEtTwSzhzWB6U/uMEHuJ2exUlOOLg3BQ6FTy6kfsZzSy
> GFDs5tuZSS1XO8ugqLK1U=
> > ;{id = 18888 (zsk), size = 2048b}
> > testdom5.isoc-il.net <http://testdom5.isoc-il.net>.   86215   IN
> >  DNSKEY  257 3 8
> > AwEAAa+orr5ooEvpwgicZngvULwkDA1luUDrGwKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+
> V0WPkZ074W6DLOGJp9RDIwOCfXhm9aSu2FadG/eqwrVf+
> CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0XJDWHvYnIYVr8f7Nazb1k2OqWW5X8Q
> tV7FDrW1fn85BYafVY2TXt3fYlcUzdtisv8/o5ce4ctmidTlXFPqNT63yyASKZiZiV
> 6nbdQToMQtjnxvTT12fTv4zoeKz0W8KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4
> uoyI5AeUF9fIllM9LPEQvG035/y0zkwJPZgs9DU183Sdve6P2s=
> > ;{id = 29401 (ksk), size = 2048b}
> > With key:
> > testdom5.isoc-il.net <http://testdom5.isoc-il.net>.   86215   IN
> >  DNSKEY  257 3 8
> > AwEAAa+orr5ooEvpwgicZngvULwkDA1luUDrGwKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+
> V0WPkZ074W6DLOGJp9RDIwOCfXhm9aSu2FadG/eqwrVf+
> CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0XJDWHvYnIYVr8f7Nazb1k2OqWW5X8Q
> tV7FDrW1fn85BYafVY2TXt3fYlcUzdtisv8/o5ce4ctmidTlXFPqNT63yyASKZiZiV
> 6nbdQToMQtjnxvTT12fTv4zoeKz0W8KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4
> uoyI5AeUF9fIllM9LPEQvG035/y0zkwJPZgs9DU183Sdve6P2s=
> > ;{id = 29401 (ksk), size = 2048b}
> > |---testdom5.isoc-il.net <http://testdom5.isoc-il.net>. (DNSKEY keytag:
> > 29401 alg: 8 flags: 257)
> > |---testdom5.isoc-il.net <http://testdom5.isoc-il.net>. (DS keytag:
> > 29401 digest type: 2)
> >     |---isoc-il.net <http://isoc-il.net>. (DNSKEY keytag: 36456 alg: 8
> > flags: 256)
> >         |---isoc-il.net <http://isoc-il.net>. (DNSKEY keytag: 33769 alg:
> > 8 flags: 257)
> >         |---isoc-il.net <http://isoc-il.net>. (DS keytag: 33769 digest
> > type: 2)
> >             |---net. (DNSKEY keytag: 16757 alg: 8 flags: 256)
> >                 |---net. (DNSKEY keytag: 35886 alg: 8 flags: 257)
> >                 |---net. (DS keytag: 35886 digest type: 2)
> >                     |---. (DNSKEY keytag: 61045 alg: 8 flags: 256)
> >                         |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
> > ;; Chase successful
> >
> > Emil
> >
> >
> > _______________________________________________
> > ldns-users mailing list
> > ldns-users at nlnetlabs.nl
> > https://open.nlnetlabs.nl/mailman/listinfo/ldns-users
> >
>
> _______________________________________________
> ldns-users mailing list
> ldns-users at nlnetlabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/ldns-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/ldns-users/attachments/20170314/920c975a/attachment.htm>


More information about the ldns-users mailing list