[ldns-users] Maximum number of checked keys in sigchase
Willem Toorop
willem at nlnetlabs.nl
Wed Jun 9 09:55:48 UTC 2021
Hi Klaus,
Sorry for the late response.
I will try to reproduce today and let you know my findings.
Cheers,
-- Willem
Op 02-06-2021 om 13:57 schreef Klaus Darilion via ldns-users:
> Hello!
>
> One of my test zones has 50+ KSKs. I usually check my zones with drill
> but this time it fails (see below). Unbound/Bind can validate the
> domain. Hence I suspect some artifical limit in drill. Using grep I
> found LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS which I increased from 10 to
> 100, but still the same error.
>
> Is my suspicion correct? Where can I increase the limit?
>
> Thanks
> Klaus
>
> # drill -t -c
> /etc/bind/zones/rcode0-zones/dnssec-monitoring/resolv.conf.drill -k
> /etc/bind/root-dnskey -S
> 30.kskrollover-test.rc0-monitoring.dnssec-signiert.at
> ;; Number of trusted keys: 2
> ;; Chasing: 30.kskrollover-test.rc0-monitoring.dnssec-signiert.at. A
>
>
> DNSSEC Trust tree:
> 30.kskrollover-test.rc0-monitoring.dnssec-signiert.at. (A)
> |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY keytag:
> 16794 alg: 8 flags: 256)
> |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY
> keytag: 10351 alg: 8 flags: 257)
> |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY
> keytag: 4510 alg: 8 flags: 257)
> |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY
> keytag: 787 alg: 8 flags: 257)
> |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY
> keytag: 30724 alg: 8 flags: 257)
> |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY
> keytag: 40714 alg: 8 flags: 257)
> |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY
> keytag: 50392 alg: 8 flags: 257)
> |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY
> keytag: 35404 alg: 8 flags: 257)
> |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY
> keytag: 17569 alg: 8 flags: 257)
> |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY
> keytag: 52444 alg: 8 flags: 257)
> |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY
> keytag: 47716 alg: 8 flags: 257)
> No trusted keys found in tree: first error was: No DNSSEC public key(s)
> ;; Chase failed.
> _______________________________________________
> ldns-users mailing list
> ldns-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/ldns-users
More information about the ldns-users
mailing list