[ldns-users] drill and signature chase
Willem Toorop
willem at nlnetlabs.nl
Thu Mar 16 14:19:58 UTC 2017
Hi Emil,
When looking further in your issue, I noticed that chasing actually does
set a non-zero exit status when there is an error in the validation
path... except when the tree constructed from the chase is for a DNSKEY
(or DS). So, short term solution for you would be to query for a SOA.
I'll see if I can fix this for key queries too..
Regards,
-- Willem
Op 14-03-17 om 18:04 schreef Emil Natan:
> Hello Willem,
>
> In my opinion this one should end up with non zero status. And why
> should signature chasing behavior differ from simple query which fails
> signature validation? Maybe I'm misunderstanding the purpose of the
> chase functionality.
> Thanks,
>
> Emil
>
> On Tue, Mar 14, 2017 at 5:04 PM, Willem Toorop <willem at nlnetlabs.nl
> <mailto:willem at nlnetlabs.nl>> wrote:
>
> Op 14-03-17 om 15:41 schreef Emil Natan:
> > Hello,
> >
> > I have domain testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> <http://testdom5.isoc-il.net>
> > deliberately signed with signatures end time in the past.
> >
> > "drill dnskey testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> <http://testdom5.isoc-il.net>" as
> > expected fails with SERVFAIL
> >
> > Chasing the signature for that record though succeeds.
> > It says "|---DNSSEC signature has expired" on the way, but I was
> > expecting the result to be Chase Failed and non zero exit code.
> >
> > Do you consider that a bug or is that the expected behavior? Thanks.
>
> Hello Emil,
>
> Neither yet. How would you (or the list) consider this behaviour?
> Should chasing perform the chase and then exit non zero when there was a
> bogus RR on the path, like tracing does?
>
> -- Willem
>
> >
> > drill -S dnskey testdom5.isoc-il.net
> <http://testdom5.isoc-il.net> <http://testdom5.isoc-il.net>
> > ;; Number of trusted keys: 1
> > ;; Chasing: testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> <http://testdom5.isoc-il.net>. DNSKEY
> >
> >
> > DNSSEC Trust tree:
> > testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> <http://testdom5.isoc-il.net>. (DNSKEY)
> > |---DNSSEC signature has expired:
> > testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> <http://testdom5.isoc-il.net>. 86215 IN
> > RRSIG DNSKEY 8 3 86400 20170310000000 20170210000000 29401
> > testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> <http://testdom5.isoc-il.net>.
> >
> GG2ukpUxPwhOp3Yb0rIRhtQvqsF+pZ/cIFTveHJwIaDx6GP7dxbyQ9bv1p8Ojr/3m/tuJgfVq2RwA2+ndDXQxfqnsvi5Nigw6u/LVwqDFVgstxyGDHdJPuriqJjn6IYQIsaSkW52ib9M3Rrd5MptimORTlN6lLAPOgWDDHU6180/VJhwrq8e2MXQeWLier7tdtuolXw7mxRlChpRkV7XWHHbm5KFyS6rGlQooKElhLy/TBRRgK793jTpRN/hYFj3BjgiF9VguMuwkISPNSmuBl0dzghiUFD1QHnALocNC5IxI19QSpdP0ny0rIkNJ/RzKIMHyOlTqnjNzu/qpeJ+rw==
> > For RRset:
> > testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> <http://testdom5.isoc-il.net>. 86215 IN
> > DNSKEY 256 3 8
> > AwEAAaUDJHIJaCsatG03KN1urponSDCPJ/AA1ONXGm1NOMzTodDrKCfzm3sFLSh0tQB1v314WoxOA3A+xJtYjRAhU9NGn7ruPrR8EcXYwzYuLpXEMWmWobKCXKHss4QYAnpyma+wn89NBpEV976P8OX265geJdnIulDvRK1SNkE5cPHcraklS6JWzOp4RIhTy7wNUG7peFiVz1Vp7OVAvb25EtXjS2wAFNitSpzBhAPcZ/2uqLDdIfE7ieUkFDrs22nfIa1RVU2DXzN7iWmpGBwnwbFEtTwSzhzWB6U/uMEHuJ2exUlOOLg3BQ6FTy6kfsZzSyGFDs5tuZSS1XO8ugqLK1U=
> > ;{id = 18888 (zsk), size = 2048b}
> > testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> <http://testdom5.isoc-il.net>. 86215 IN
> > DNSKEY 257 3 8
> > AwEAAa+orr5ooEvpwgicZngvULwkDA1luUDrGwKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+V0WPkZ074W6DLOGJp9RDIwOCfXhm9aSu2FadG/eqwrVf+CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0XJDWHvYnIYVr8f7Nazb1k2OqWW5X8QtV7FDrW1fn85BYafVY2TXt3fYlcUzdtisv8/o5ce4ctmidTlXFPqNT63yyASKZiZiV6nbdQToMQtjnxvTT12fTv4zoeKz0W8KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4uoyI5AeUF9fIllM9LPEQvG035/y0zkwJPZgs9DU183Sdve6P2s=
> > ;{id = 29401 (ksk), size = 2048b}
> > With key:
> > testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> <http://testdom5.isoc-il.net>. 86215 IN
> > DNSKEY 257 3 8
> > AwEAAa+orr5ooEvpwgicZngvULwkDA1luUDrGwKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+V0WPkZ074W6DLOGJp9RDIwOCfXhm9aSu2FadG/eqwrVf+CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0XJDWHvYnIYVr8f7Nazb1k2OqWW5X8QtV7FDrW1fn85BYafVY2TXt3fYlcUzdtisv8/o5ce4ctmidTlXFPqNT63yyASKZiZiV6nbdQToMQtjnxvTT12fTv4zoeKz0W8KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4uoyI5AeUF9fIllM9LPEQvG035/y0zkwJPZgs9DU183Sdve6P2s=
> > ;{id = 29401 (ksk), size = 2048b}
> > |---testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> <http://testdom5.isoc-il.net>. (DNSKEY keytag:
> > 29401 alg: 8 flags: 257)
> > |---testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> <http://testdom5.isoc-il.net>. (DS keytag:
> > 29401 digest type: 2)
> > |---isoc-il.net <http://isoc-il.net> <http://isoc-il.net>.
> (DNSKEY keytag: 36456 alg: 8
> > flags: 256)
> > |---isoc-il.net <http://isoc-il.net> <http://isoc-il.net>.
> (DNSKEY keytag: 33769 alg:
> > 8 flags: 257)
> > |---isoc-il.net <http://isoc-il.net> <http://isoc-il.net>.
> (DS keytag: 33769 digest
> > type: 2)
> > |---net. (DNSKEY keytag: 16757 alg: 8 flags: 256)
> > |---net. (DNSKEY keytag: 35886 alg: 8 flags: 257)
> > |---net. (DS keytag: 35886 digest type: 2)
> > |---. (DNSKEY keytag: 61045 alg: 8 flags: 256)
> > |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
> > ;; Chase successful
> >
> > Emil
> >
> >
> > _______________________________________________
> > ldns-users mailing list
> > ldns-users at nlnetlabs.nl <mailto:ldns-users at nlnetlabs.nl>
> > https://open.nlnetlabs.nl/mailman/listinfo/ldns-users
> <https://open.nlnetlabs.nl/mailman/listinfo/ldns-users>
> >
>
> _______________________________________________
> ldns-users mailing list
> ldns-users at nlnetlabs.nl <mailto:ldns-users at nlnetlabs.nl>
> https://open.nlnetlabs.nl/mailman/listinfo/ldns-users
> <https://open.nlnetlabs.nl/mailman/listinfo/ldns-users>
>
>
>
>
> _______________________________________________
> ldns-users mailing list
> ldns-users at nlnetlabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/ldns-users
>
More information about the ldns-users
mailing list