[ldns-users] Maximum number of checked keys in sigchase

Klaus Darilion klaus.darilion at nic.at
Thu Jun 17 12:14:14 UTC 2021


For the records: My build was fine, but I only upgraded the "ldnsutils" package. After upgrading also the libldns2 package everthing works as expected.

Thanks
Klaus

> -----Ursprüngliche Nachricht-----
> Von: ldns-users <ldns-users-bounces at lists.nlnetlabs.nl> Im Auftrag von
> Willem Toorop via ldns-users
> Gesendet: Donnerstag, 10. Juni 2021 13:14
> An: Klaus Darilion <klaus.mailinglists at pernau.at>; ldns-
> users at lists.nlnetlabs.nl
> Betreff: Re: [ldns-users] Maximum number of checked keys in sigchase
> 
> Hi Klaus,
> 
> You were already correct. Somehow you must have not used the newly
> compiled ldns and drill. I created a test zone: hopsa.zones.cat and I
> can chase it with the value of LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS
> increased:
> 
> willem at makaak:~/repos/ldns$ git diff
> diff --git a/ldns/dnssec_verify.h b/ldns/dnssec_verify.h
> index 80881c68..b97413d8 100644
> --- a/ldns/dnssec_verify.h
> +++ b/ldns/dnssec_verify.h
> @@ -3,7 +3,7 @@
>  #ifndef LDNS_DNSSEC_VERIFY_H
>  #define LDNS_DNSSEC_VERIFY_H
> 
> -#define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10
> +#define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 100
> 
>  #include <ldns/dnssec.h>
>  #include <ldns/host2str.h>
> willem at makaak:~/repos/ldns$ drill/drill -t @185.49.141.38 -k
> /usr/share/dns/root.key -S hopsa.zones.cat
> ;; Number of trusted keys: 1
> ;; Chasing: hopsa.zones.cat. A
> 
> 
> DNSSEC Trust tree:
> hopsa.zones.cat. (A)
> |---hopsa.zones.cat. (DNSKEY keytag: 3865 alg: 8 flags: 256)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 3371 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 4307 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 4709 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 5060 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 6382 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 6475 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 6632 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 6704 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 7456 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 8584 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 9185 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 11270 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 12985 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 14474 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 15146 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 15211 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 16486 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 20380 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 21245 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 22685 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 23489 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 24961 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 30002 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 32137 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 33637 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 33962 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 34024 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 37637 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 38086 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 38752 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 39014 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 42055 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 42605 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 42949 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 43439 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 44990 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 45224 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 46444 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 48391 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 49396 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 49466 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 55204 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 56222 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 58654 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 59984 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 61472 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 62165 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 64060 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 64166 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DNSKEY keytag: 64514 alg: 8 flags: 257)
> |   |---hopsa.zones.cat. (DS keytag: 56222 digest type: 2)
> |       |---zones.cat. (DNSKEY keytag: 37318 alg: 14 flags: 257)
> |           |---zones.cat. (DS keytag: 37318 digest type: 2)
> |               |---cat. (DNSKEY keytag: 34497 alg: 10 flags: 256)
> |                   |---cat. (DNSKEY keytag: 58737 alg: 10 flags: 257)
> |                   |---cat. (DS keytag: 58737 digest type: 2)
> |                       |---. (DNSKEY keytag: 14631 alg: 8 flags: 256)
> |                           |---. (DNSKEY keytag: 20326 alg: 8 flags: 257)
> |---hopsa.zones.cat. (DNSKEY keytag: 3993 alg: 8 flags: 256)
>     |---hopsa.zones.cat. (DNSKEY keytag: 3371 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 4307 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 4709 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 5060 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 6382 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 6475 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 6632 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 6704 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 7456 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 8584 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 9185 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 11270 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 12985 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 14474 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 15146 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 15211 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 16486 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 20380 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 21245 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 22685 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 23489 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 24961 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 30002 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 32137 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 33637 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 33962 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 34024 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 37637 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 38086 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 38752 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 39014 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 42055 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 42605 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 42949 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 43439 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 44990 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 45224 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 46444 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 48391 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 49396 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 49466 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 55204 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 56222 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 58654 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 59984 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 61472 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 62165 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 64060 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 64166 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DNSKEY keytag: 64514 alg: 8 flags: 257)
>     |---hopsa.zones.cat. (DS keytag: 56222 digest type: 2)
>         |---zones.cat. (DNSKEY keytag: 37318 alg: 14 flags: 257)
>             |---zones.cat. (DS keytag: 37318 digest type: 2)
>                 |---cat. (DNSKEY keytag: 34497 alg: 10 flags: 256)
>                     |---cat. (DNSKEY keytag: 58737 alg: 10 flags: 257)
>                     |---cat. (DS keytag: 58737 digest type: 2)
>                         |---. (DNSKEY keytag: 14631 alg: 8 flags: 256)
>                             |---. (DNSKEY keytag: 20326 alg: 8 flags: 257)
> ;; Chase successful
> 
> 
> Op 02-06-2021 om 13:57 schreef Klaus Darilion via ldns-users:
> > Hello!
> >
> > One of my test zones has 50+ KSKs. I usually check my zones with drill
> > but this time it fails (see below). Unbound/Bind can validate the
> > domain. Hence I suspect some artifical limit in drill. Using grep I
> > found LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS which I increased from
> 10 to
> > 100, but still the same error.
> >
> > Is my suspicion correct? Where can I increase the limit?
> >
> > Thanks
> > Klaus
> >
> > # drill -t -c
> > /etc/bind/zones/rcode0-zones/dnssec-monitoring/resolv.conf.drill -k
> > /etc/bind/root-dnskey -S
> > 30.kskrollover-test.rc0-monitoring.dnssec-signiert.at
> > ;; Number of trusted keys: 2
> > ;; Chasing: 30.kskrollover-test.rc0-monitoring.dnssec-signiert.at. A
> >
> >
> > DNSSEC Trust tree:
> > 30.kskrollover-test.rc0-monitoring.dnssec-signiert.at. (A)
> > |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY keytag:
> > 16794 alg: 8 flags: 256)
> >     |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY
> > keytag: 10351 alg: 8 flags: 257)
> >     |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY
> > keytag: 4510 alg: 8 flags: 257)
> >     |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY
> > keytag: 787 alg: 8 flags: 257)
> >     |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY
> > keytag: 30724 alg: 8 flags: 257)
> >     |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY
> > keytag: 40714 alg: 8 flags: 257)
> >     |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY
> > keytag: 50392 alg: 8 flags: 257)
> >     |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY
> > keytag: 35404 alg: 8 flags: 257)
> >     |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY
> > keytag: 17569 alg: 8 flags: 257)
> >     |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY
> > keytag: 52444 alg: 8 flags: 257)
> >     |---kskrollover-test.rc0-monitoring.dnssec-signiert.at. (DNSKEY
> > keytag: 47716 alg: 8 flags: 257)
> > No trusted keys found in tree: first error was: No DNSSEC public key(s)
> > ;; Chase failed.
> > _______________________________________________
> > ldns-users mailing list
> > ldns-users at lists.nlnetlabs.nl
> > https://lists.nlnetlabs.nl/mailman/listinfo/ldns-users
> _______________________________________________
> ldns-users mailing list
> ldns-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/ldns-users


More information about the ldns-users mailing list