[ldns-users] drill and signature chase

Emil Natan shlyoko at gmail.com
Thu Mar 16 15:02:09 UTC 2017 

Hi Willem,

Thank you for your response. Chasing a signature for DNSKEY actually fails
in any other case I tested, but expired signature. DS at parent, but not
matching DNSKEY at child or missing DNSKEY RRSIG for example make it fail
with exit status 29 and "No trusted keys found in tree: first error was: No
DNSSEC public key(s) ;;  Chase failed."

Emil

On Thu, Mar 16, 2017 at 4:19 PM, Willem Toorop <willem at nlnetlabs.nl> wrote:

> Hi Emil,
>
> When looking further in your issue, I noticed that chasing actually does
> set a non-zero exit status when there is an error in the validation
> path... except when the tree constructed from the chase is for a DNSKEY
> (or DS).  So, short term solution for you would be to query for a SOA.
> I'll see if I can fix this for key queries too..
>
> Regards,
> -- Willem
>
> Op 14-03-17 om 18:04 schreef Emil Natan:
> > Hello Willem,
> >
> > In my opinion this one should end up with non zero status. And why
> > should signature chasing behavior differ from simple query which fails
> > signature validation? Maybe I'm misunderstanding the purpose of the
> > chase functionality.
> > Thanks,
> >
> > Emil
> >
> > On Tue, Mar 14, 2017 at 5:04 PM, Willem Toorop <willem at nlnetlabs.nl
> > <mailto:willem at nlnetlabs.nl>> wrote:
> >
> >     Op 14-03-17 om 15:41 schreef Emil Natan:
> >     > Hello,
> >     >
> >     > I have domain testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> >     <http://testdom5.isoc-il.net>
> >     > deliberately signed with signatures end time in the past.
> >     >
> >     > "drill dnskey testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> >     <http://testdom5.isoc-il.net>" as
> >     > expected fails with SERVFAIL
> >     >
> >     > Chasing the signature for that record though succeeds.
> >     > It says "|---DNSSEC signature has expired" on the way, but I was
> >     > expecting the result to be Chase Failed and non zero exit code.
> >     >
> >     > Do you consider that a bug or is that the expected behavior?
> Thanks.
> >
> >     Hello Emil,
> >
> >     Neither yet.  How would you (or the list) consider this behaviour?
> >     Should chasing perform the chase and then exit non zero when there
> was a
> >     bogus RR on the path, like tracing does?
> >
> >     -- Willem
> >
> >     >
> >     > drill -S dnskey  testdom5.isoc-il.net
> >     <http://testdom5.isoc-il.net> <http://testdom5.isoc-il.net>
> >     > ;; Number of trusted keys: 1
> >     > ;; Chasing: testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> >     <http://testdom5.isoc-il.net>. DNSKEY
> >     >
> >     >
> >     > DNSSEC Trust tree:
> >     > testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> >     <http://testdom5.isoc-il.net>. (DNSKEY)
> >     > |---DNSSEC signature has expired:
> >     > testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> >     <http://testdom5.isoc-il.net>.   86215   IN
> >     >  RRSIG   DNSKEY 8 3 86400 20170310000000 20170210000000 29401
> >     > testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> >     <http://testdom5.isoc-il.net>.
> >     >
> >     GG2ukpUxPwhOp3Yb0rIRhtQvqsF+pZ/cIFTveHJwIaDx6GP7dxbyQ9bv1p8Oj
> r/3m/tuJgfVq2RwA2+ndDXQxfqnsvi5Nigw6u/LVwqDFVgstxyGDHdJPuriqJjn6IYQI
> saSkW52ib9M3Rrd5MptimORTlN6lLAPOgWDDHU6180/VJhwrq8e2MXQeWLier7tdtuolXw7mx
> RlChpRkV7XWHHbm5KFyS6rGlQooKElhLy/TBRRgK793jTpRN/
> hYFj3BjgiF9VguMuwkISPNSmuBl0dzghiUFD1QHnALocNC5IxI19QSpdP0ny
> 0rIkNJ/RzKIMHyOlTqnjNzu/qpeJ+rw==
> >     > For RRset:
> >     > testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> >     <http://testdom5.isoc-il.net>.   86215   IN
> >     >  DNSKEY  256 3 8
> >     > AwEAAaUDJHIJaCsatG03KN1urponSDCPJ/AA1ONXGm1NOMzTodDrKCfzm3sFLSh0
> tQB1v314WoxOA3A+xJtYjRAhU9NGn7ruPrR8EcXYwzYuLpXEMWmWobKCXKHss4QYAnpyma+
> wn89NBpEV976P8OX265geJdnIulDvRK1SNkE5cPHcraklS6JWzOp4RIhTy7w
> NUG7peFiVz1Vp7OVAvb25EtXjS2wAFNitSpzBhAPcZ/2uqLDdIfE7ieUkFDrs22nfIa1RVU2D
> XzN7iWmpGBwnwbFEtTwSzhzWB6U/uMEHuJ2exUlOOLg3BQ6FTy6kfsZzSy
> GFDs5tuZSS1XO8ugqLK1U=
> >     > ;{id = 18888 (zsk), size = 2048b}
> >     > testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> >     <http://testdom5.isoc-il.net>.   86215   IN
> >     >  DNSKEY  257 3 8
> >     > AwEAAa+orr5ooEvpwgicZngvULwkDA1luUDrGwKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+
> V0WPkZ074W6DLOGJp9RDIwOCfXhm9aSu2FadG/eqwrVf+
> CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0XJDWHvYnIYVr8f7Nazb1k2OqWW5X8Q
> tV7FDrW1fn85BYafVY2TXt3fYlcUzdtisv8/o5ce4ctmidTlXFPqNT63yyASKZiZiV
> 6nbdQToMQtjnxvTT12fTv4zoeKz0W8KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4
> uoyI5AeUF9fIllM9LPEQvG035/y0zkwJPZgs9DU183Sdve6P2s=
> >     > ;{id = 29401 (ksk), size = 2048b}
> >     > With key:
> >     > testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> >     <http://testdom5.isoc-il.net>.   86215   IN
> >     >  DNSKEY  257 3 8
> >     > AwEAAa+orr5ooEvpwgicZngvULwkDA1luUDrGwKZ3Qti5C7ITTKRJq1Ahrcg/Y/gZ+
> V0WPkZ074W6DLOGJp9RDIwOCfXhm9aSu2FadG/eqwrVf+
> CjPRpQZMpGc4ME6BxzkiTjw1g5Yhu0XJDWHvYnIYVr8f7Nazb1k2OqWW5X8Q
> tV7FDrW1fn85BYafVY2TXt3fYlcUzdtisv8/o5ce4ctmidTlXFPqNT63yyASKZiZiV
> 6nbdQToMQtjnxvTT12fTv4zoeKz0W8KiQs48ttGkGxTIuJ5aKVjKJgVZQlH4
> uoyI5AeUF9fIllM9LPEQvG035/y0zkwJPZgs9DU183Sdve6P2s=
> >     > ;{id = 29401 (ksk), size = 2048b}
> >     > |---testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> >     <http://testdom5.isoc-il.net>. (DNSKEY keytag:
> >     > 29401 alg: 8 flags: 257)
> >     > |---testdom5.isoc-il.net <http://testdom5.isoc-il.net>
> >     <http://testdom5.isoc-il.net>. (DS keytag:
> >     > 29401 digest type: 2)
> >     >     |---isoc-il.net <http://isoc-il.net> <http://isoc-il.net>.
> >     (DNSKEY keytag: 36456 alg: 8
> >     > flags: 256)
> >     >         |---isoc-il.net <http://isoc-il.net> <http://isoc-il.net>.
> >     (DNSKEY keytag: 33769 alg:
> >     > 8 flags: 257)
> >     >         |---isoc-il.net <http://isoc-il.net> <http://isoc-il.net>.
> >     (DS keytag: 33769 digest
> >     > type: 2)
> >     >             |---net. (DNSKEY keytag: 16757 alg: 8 flags: 256)
> >     >                 |---net. (DNSKEY keytag: 35886 alg: 8 flags: 257)
> >     >                 |---net. (DS keytag: 35886 digest type: 2)
> >     >                     |---. (DNSKEY keytag: 61045 alg: 8 flags: 256)
> >     >                         |---. (DNSKEY keytag: 19036 alg: 8 flags:
> 257)
> >     > ;; Chase successful
> >     >
> >     > Emil
> >     >
> >     >
> >     > _______________________________________________
> >     > ldns-users mailing list
> >     > ldns-users at nlnetlabs.nl <mailto:ldns-users at nlnetlabs.nl>
> >     > https://open.nlnetlabs.nl/mailman/listinfo/ldns-users
> >     <https://open.nlnetlabs.nl/mailman/listinfo/ldns-users>
> >     >
> >
> >     _______________________________________________
> >     ldns-users mailing list
> >     ldns-users at nlnetlabs.nl <mailto:ldns-users at nlnetlabs.nl>
> >     https://open.nlnetlabs.nl/mailman/listinfo/ldns-users
> >     <https://open.nlnetlabs.nl/mailman/listinfo/ldns-users>
> >
> >
> >
> >
> > _______________________________________________
> > ldns-users mailing list
> > ldns-users at nlnetlabs.nl
> > https://open.nlnetlabs.nl/mailman/listinfo/ldns-users
> >
>
> _______________________________________________
> ldns-users mailing list
> ldns-users at nlnetlabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/ldns-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/ldns-users/attachments/20170316/d9baf56c/attachment.htm>

More information about the ldns-users mailing list