[ldns-users] Maximum number of checked keys in sigchase

Wed Jun 2 11:57:12 UTC 2021

Hello!

One of my test zones has 50+ KSKs. I usually check my zones with drill 
but this time it fails (see below). Unbound/Bind can validate the 
domain. Hence I suspect some artifical limit in drill. Using grep I 
found LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS which I increased from 10 to 
100, but still the same error.

Is my suspicion correct? Where can I increase the limit?

Thanks
Klaus

# drill -t -c 
/etc/bind/zones/rcode0-zones/dnssec-monitoring/resolv.conf.drill -k 
/etc/bind/root-dnskey -S 
30.kskrollover-test.rc0-monitoring.dnssec-signiert.at
;; Number of trusted keys: 2
;; Chasing: 30.kskrollover-test.rc0-monitoring.dnssec-signiert.at. A

DNSSEC Trust tree:
30.kskrollover-test.rc0-monitoring.dnssec-signiert.at. (A)
|---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY keytag: 
16794 alg: 8 flags: 256)
     |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY 
keytag: 10351 alg: 8 flags: 257)
     |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY 
keytag: 4510 alg: 8 flags: 257)
     |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY 
keytag: 787 alg: 8 flags: 257)
     |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY 
keytag: 30724 alg: 8 flags: 257)
     |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY 
keytag: 40714 alg: 8 flags: 257)
     |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY 
keytag: 50392 alg: 8 flags: 257)
     |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY 
keytag: 35404 alg: 8 flags: 257)
     |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY 
keytag: 17569 alg: 8 flags: 257)
     |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY 
keytag: 52444 alg: 8 flags: 257)
     |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY 
keytag: 47716 alg: 8 flags: 257)
No trusted keys found in tree: first error was: No DNSSEC public key(s)
;; Chase failed.