retrieve TLSA record also if it is not secured by DNSSEC

Elmar Stellnberger estellnb at gmail.com
Wed Feb 12 14:53:39 UTC 2020


   No, I am not using drill, I am using a new tool called atea (see 
attachement). I have not finished its development but you can already 
download via DANE/libunbound:

./atea tii https://www.elstel.org/software/SHA512SUMS

./atea tii https://www.elstel.com/software/SHA512SUMS

   Yesterday the first command succeeded while the second one returned 
"no data". However today the NSA is terrorizing the development of the 
tool and it can no more establish an internet connection at all:

 > ./mk atea.c tii https://www.elstel.org/software/SHA512SUMS
error trying to connect tcp socket to address: Network is unreachable
error trying to connect tcp socket to address: Invalid argument

   The exactly same program has worked yesterday so it can't be a 
programming error, at least to my believe.

Please test the tool on your own and tell me about the results!

Elmar


Am 12.02.20 um 13:33 schrieb Wouter Wijngaards via Unbound-users:
> Hi Elmar,
>
> On 11/02/2020 14:51, Elmar Stellnberger via Unbound-users wrote:
>>    Currently libunbound returns no data if no correct RRSIG can be found
>> as is currently the case for the domain elstel.com.
>> Would anyone mind to change libunbound so that it returns the existent
>> TLSA record as insecure data?
> What you are using is drill.  This is not libunbound.
>
> Libunbound returns the data always, but signals security and insecurity
> with flags in the result structure.
> https://www.nlnetlabs.nl/documentation/unbound/libunbound/
>
> You seem to be talking about wanting drills sigchase printout to print
> different output for output with wrong RRSIGs?  Sounds like a change for
> the ldns package.  Not sure if that is better debug output for that tool.
>
> unbound-host can also perform lookups, also of type TLSA and print them,
> and DNSSEC verify them.  And prints the verification output together
> with the data, which may be what you want.  unbound-host uses libunbound
> for that.
>
> $ unbound-host -v -f root.key -t TLSA _443._tcp.elstel.com
> _443._tcp.elstel.com has TLSA record 3 0 1
> A8EDF0CACAF776ACACDFE53564C51556AD325F03A369E4C8F4622B4DC5B06865 (secure)
>
> Best regards, Wouter
>
>> $ ./drill_TLSA elstel.com
>> _443._tcp.elstel.com.    3600    IN    TLSA    3 0 1 a8edf0cacaf776acacdfe53564c51556ad325f03a369e4c8f4622b4dc5b06865
>>
>> $ ./dig_TLSA elstel.com
>> ns name: 198.41.0.4
>> ns name: 199.9.14.201
>> ns name: 192.33.4.12
>> ns name: 199.7.91.13
>> ns name: 192.203.230.10
>> ns name: 192.5.5.241
>> ns name: 192.112.36.4
>> ns name: 198.97.190.53
>> ns name: 192.36.148.17
>> ns name: 192.58.128.30
>> ns name: 193.0.14.129
>> ns name: 199.7.83.42
>> ns name: 202.12.27.33
>>
>> Launch a query to find a RRset of type TLSA for zone:
>> _443._tcp.elstel.com with nameservers:
>> .   518400 IN NS a.root-servers.net.
>> .   518400 IN NS b.root-servers.net.
>> .   518400 IN NS c.root-servers.net.
>> .   518400 IN NS d.root-servers.net.
>> .   518400 IN NS e.root-servers.net.
>> .   518400 IN NS f.root-servers.net.
>> .   518400 IN NS g.root-servers.net.
>> .   518400 IN NS h.root-servers.net.
>> .   518400 IN NS i.root-servers.net.
>> .   518400 IN NS j.root-servers.net.
>> .   518400 IN NS k.root-servers.net.
>> .   518400 IN NS l.root-servers.net.
>> .   518400 IN NS m.root-servers.net.
>>
>> no response but there is a delegation in authority section:com.
>>
>>
>> Launch a query to find a RRset of type DNSKEY for zone: .
>>
>> ;; DNSKEYset:
>> .   172800 IN DNSKEY 257 3 8
>> AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
>> +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
>> ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
>> 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
>> oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
>> RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
>> .   172800 IN DNSKEY 256 3 8
>> AwEAAeN+h0loXPKt7lFdW2zKIDkVHyJ1aYGUVE1dMNBlRH3kTn40JKcH
>> iPOs+fy0OFVCBwoKa1s9qZtdyP1UC0hgKoldj3oELK1yLI5MUbTMcNkW
>> bBMRuxRz/CgZJu3IxcmuZWZMbn4LQDMj5YeiUiuWns5vipFGWWpyPyoz
>> QXmenSWOK2GJOwcm7I/DyHVtVdztTvqiHqzy2aRoxwPhmEuAoYzzuNJJ
>> w6JNEnXaN/7l2TIciskFyPVPBFZYHnk+1ma906dfehIR190z3lh1ZESL
>> 2Yy3VIE2QGpRU6Px4ydH5sXxZ2wSMgqNNga4kjnfM1msBqk3EI48RvTT kuV0yb1eFuU=
>>
>>
>> ;; RRSIG of the DNSKEYset:
>> .   172800 IN RRSIG DNSKEY 8 0 172800 20200221000000 20200131000000
>> 20326 . a90QZixKr3vHcfbornzE7Dl/z75m1+OnTI3qdU2misnifW9xv/ja4uoq
>> ixo59yPLBFRYmQDZntId14xcz/sZbo6XSzhJ2EaSm5WBotq9d1K9LaSa
>> tD1IYLoLKPfhxVcgo0fqz6h8Cdrzb/nHeo4xn/dm+RK03Wcx8n0UPc/Q
>> iXiHsf6uFAjarWm3PrJi0iRhXPKxfjgqbRhJy2knmAM04ZUimN2gpSz2
>> Oc23CsO/JD2hAO/x8b+TgtD9D/Y4Twa1kIeVbdxHNxJOY0x9/H4UbcHv
>> /iFcyB4CLp18QC8ZDBJpIR1EAvCZNTQ3xkeYDiP5nIMn5z4h+eaK4hE6 VqwcfA==
>>
>>
>> ;; chain of trust can't be validated: FAILED
>>
>> ;; cleanandgo
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: atea-0.3.tar.bz2
Type: application/x-bzip
Size: 17282 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20200212/d9eb75c1/attachment-0001.bin>


More information about the Unbound-users mailing list