[ldns-users] drill and signature chase

Willem Toorop willem at nlnetlabs.nl
Thu Mar 16 14:19:58 UTC 2017


Hi Emil,

When looking further in your issue, I noticed that chasing actually does
set a non-zero exit status when there is an error in the validation
path... except when the tree constructed from the chase is for a DNSKEY
(or DS).  So, short term solution for you would be to query for a SOA.
I'll see if I can fix this for key queries too..

Regards,
-- Willem

Op 14-03-17 om 18:04 schreef Emil Natan:
> Hello Willem,
> 
> In my opinion this one should end up with non zero status. And why
> should signature chasing behavior differ from simple query which fails
> signature validation? Maybe I'm misunderstanding the purpose of the
> chase functionality.
> Thanks,
> 
> Emil
> 
> On Tue, Mar 14, 2017 at 5:04 PM, Willem Toorop <willem at nlnetlabs.nl
> <mailto:willem at nlnetlabs.nl>> wrote:
> 
>     Op 14-03-17 om 15:41 schreef Emil Natan:
>     > Hello,
>     >
>     > I have domain testdom5.isoc-il.net <http://testdom5.isoc-il.net>
>     <http://testdom5.isoc-il.net>
>     > deliberately signed with signatures end time in the past.
>     >
>     > "drill dnskey testdom5.isoc-il.net <http://testdom5.isoc-il.net>
>     <http://testdom5.isoc-il.net>" as
>     > expected fails with SERVFAIL
>     >
>     > Chasing the signature for that record though succeeds.
>     > It says "|---DNSSEC signature has expired" on the way, but I was
>     > expecting the result to be Chase Failed and non zero exit code.
>     >
>     > Do you consider that a bug or is that the expected behavior? Thanks.
> 
>     Hello Emil,
> 
>     Neither yet.  How would you (or the list) consider this behaviour?
>     Should chasing perform the chase and then exit non zero when there was a
>     bogus RR on the path, like tracing does?
> 
>     -- Willem
> 
>     >
>     > drill -S dnskey  testdom5.isoc-il.net
>     <http://testdom5.isoc-il.net> <http://testdom5.isoc-il.net>
>     > ;; Number of trusted keys: 1
>     > ;; Chasing: testdom5.isoc-il.net <http://testdom5.isoc-il.net>
>     <http://testdom5.isoc-il.net>. DNSKEY
>     >
>     >
>     > DNSSEC Trust tree:
>     > testdom5.isoc-il.net <http://testdom5.isoc-il.net>
>     <http://testdom5.isoc-il.net>. (DNSKEY)
>     > |---DNSSEC signature has expired:
>     > testdom5.isoc-il.net <http://testdom5.isoc-il.net>
>     <http://testdom5.isoc-il.net>.   86215   IN
>     >  RRSIG   DNSKEY 8 3 86400 20170310000000 20170210000000 29401
>     > testdom5.isoc-il.net <http://testdom5.isoc-il.net>
>     <http://testdom5.isoc-il.net>.
>     >
>     GG2ukpUxPwhOp3Yb0rIRhtQvqsF+pZ/cIFTveHJwIaDx6GP7dxbyQ9bv1p8Ojr/3m/tuJgfVq2RwA2+ndDXQxfqnsvi5Nigw6u/LVwqDFVgstxyGDHdJPuriqJjn6IYQIsaSkW52ib9M3Rrd5MptimORTlN6lLAPOgWDDHU6180/VJhwrq8e2MXQeWLier7tdtuolXw7mxRlChpRkV7XWHHbm5KFyS6rGlQooKElhLy/TBRRgK793jTpRN/hYFj3BjgiF9VguMuwkISPNSmuBl0dzghiUFD1QHnALocNC5IxI19QSpdP0ny0rIkNJ/RzKIMHyOlTqnjNzu/qpeJ+rw==
>     > For RRset:
>     > testdom5.isoc-il.net <http://testdom5.isoc-il.net>
>     <http://testdom5.isoc-il.net>.   86215   IN
>     >  DNSKEY  256 3 8
>     > AwEAAaUDJHIJaCsatG03KN1urponSDCPJ/AA1ONXGm1NOMzTodDrKCfzm3sFLSh0tQB1v314WoxOA3A+xJtYjRAhU9NGn7ruPrR8EcXYwzYuLpXEMWmWobKCXKHss4QYAnpyma+wn89NBpEV976P8OX265geJdnIulDvRK1SNkE5cPHcraklS6JWzOp4RIhTy7wNUG7peFiVz1Vp7OVAvb25EtXjS2wAFNitSpzBhAPcZ/2uqLDdIfE7ieUkFDrs22nfIa1RVU2DXzN7iWmpGBwnwbFEtTwSzhzWB6U/uMEHuJ2exUlOOLg3BQ6FTy6kfsZzSyGFDs5tuZSS1XO8ugqLK1U=
>     > ;{id = 18888 (zsk), size = 2048b}
>     > testdom5.isoc-il.net <http://testdom5.isoc-il.net>
>     <http://testdom5.isoc-il.net>.   86215   IN
>     >  DNSKEY  257 3 8
>     > AwEAAa+orr5ooEvpwgicZngvULwkDA1luUDrGwKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+V0WPkZ074W6DLOGJp9RDIwOCfXhm9aSu2FadG/eqwrVf+CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0XJDWHvYnIYVr8f7Nazb1k2OqWW5X8QtV7FDrW1fn85BYafVY2TXt3fYlcUzdtisv8/o5ce4ctmidTlXFPqNT63yyASKZiZiV6nbdQToMQtjnxvTT12fTv4zoeKz0W8KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4uoyI5AeUF9fIllM9LPEQvG035/y0zkwJPZgs9DU183Sdve6P2s=
>     > ;{id = 29401 (ksk), size = 2048b}
>     > With key:
>     > testdom5.isoc-il.net <http://testdom5.isoc-il.net>
>     <http://testdom5.isoc-il.net>.   86215   IN
>     >  DNSKEY  257 3 8
>     > AwEAAa+orr5ooEvpwgicZngvULwkDA1luUDrGwKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+V0WPkZ074W6DLOGJp9RDIwOCfXhm9aSu2FadG/eqwrVf+CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0XJDWHvYnIYVr8f7Nazb1k2OqWW5X8QtV7FDrW1fn85BYafVY2TXt3fYlcUzdtisv8/o5ce4ctmidTlXFPqNT63yyASKZiZiV6nbdQToMQtjnxvTT12fTv4zoeKz0W8KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4uoyI5AeUF9fIllM9LPEQvG035/y0zkwJPZgs9DU183Sdve6P2s=
>     > ;{id = 29401 (ksk), size = 2048b}
>     > |---testdom5.isoc-il.net <http://testdom5.isoc-il.net>
>     <http://testdom5.isoc-il.net>. (DNSKEY keytag:
>     > 29401 alg: 8 flags: 257)
>     > |---testdom5.isoc-il.net <http://testdom5.isoc-il.net>
>     <http://testdom5.isoc-il.net>. (DS keytag:
>     > 29401 digest type: 2)
>     >     |---isoc-il.net <http://isoc-il.net> <http://isoc-il.net>.
>     (DNSKEY keytag: 36456 alg: 8
>     > flags: 256)
>     >         |---isoc-il.net <http://isoc-il.net> <http://isoc-il.net>.
>     (DNSKEY keytag: 33769 alg:
>     > 8 flags: 257)
>     >         |---isoc-il.net <http://isoc-il.net> <http://isoc-il.net>.
>     (DS keytag: 33769 digest
>     > type: 2)
>     >             |---net. (DNSKEY keytag: 16757 alg: 8 flags: 256)
>     >                 |---net. (DNSKEY keytag: 35886 alg: 8 flags: 257)
>     >                 |---net. (DS keytag: 35886 digest type: 2)
>     >                     |---. (DNSKEY keytag: 61045 alg: 8 flags: 256)
>     >                         |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
>     > ;; Chase successful
>     >
>     > Emil
>     >
>     >
>     > _______________________________________________
>     > ldns-users mailing list
>     > ldns-users at nlnetlabs.nl <mailto:ldns-users at nlnetlabs.nl>
>     > https://open.nlnetlabs.nl/mailman/listinfo/ldns-users
>     <https://open.nlnetlabs.nl/mailman/listinfo/ldns-users>
>     >
> 
>     _______________________________________________
>     ldns-users mailing list
>     ldns-users at nlnetlabs.nl <mailto:ldns-users at nlnetlabs.nl>
>     https://open.nlnetlabs.nl/mailman/listinfo/ldns-users
>     <https://open.nlnetlabs.nl/mailman/listinfo/ldns-users>
> 
> 
> 
> 
> _______________________________________________
> ldns-users mailing list
> ldns-users at nlnetlabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/ldns-users
> 




More information about the ldns-users mailing list