retrieve TLSA record also if it is not secured by DNSSEC
Elmar Stellnberger
estellnb at gmail.com
Wed Feb 12 14:53:39 UTC 2020
No, I am not using drill, I am using a new tool called atea (see
attachement). I have not finished its development but you can already
download via DANE/libunbound:
./atea tii https://www.elstel.org/software/SHA512SUMS
./atea tii https://www.elstel.com/software/SHA512SUMS
Yesterday the first command succeeded while the second one returned
"no data". However today the NSA is terrorizing the development of the
tool and it can no more establish an internet connection at all:
> ./mk atea.c tii https://www.elstel.org/software/SHA512SUMS
error trying to connect tcp socket to address: Network is unreachable
error trying to connect tcp socket to address: Invalid argument
The exactly same program has worked yesterday so it can't be a
programming error, at least to my believe.
Please test the tool on your own and tell me about the results!
Elmar
Am 12.02.20 um 13:33 schrieb Wouter Wijngaards via Unbound-users:
> Hi Elmar,
>
> On 11/02/2020 14:51, Elmar Stellnberger via Unbound-users wrote:
>> Currently libunbound returns no data if no correct RRSIG can be found
>> as is currently the case for the domain elstel.com.
>> Would anyone mind to change libunbound so that it returns the existent
>> TLSA record as insecure data?
> What you are using is drill. This is not libunbound.
>
> Libunbound returns the data always, but signals security and insecurity
> with flags in the result structure.
> https://www.nlnetlabs.nl/documentation/unbound/libunbound/
>
> You seem to be talking about wanting drills sigchase printout to print
> different output for output with wrong RRSIGs? Sounds like a change for
> the ldns package. Not sure if that is better debug output for that tool.
>
> unbound-host can also perform lookups, also of type TLSA and print them,
> and DNSSEC verify them. And prints the verification output together
> with the data, which may be what you want. unbound-host uses libunbound
> for that.
>
> $ unbound-host -v -f root.key -t TLSA _443._tcp.elstel.com
> _443._tcp.elstel.com has TLSA record 3 0 1
> A8EDF0CACAF776ACACDFE53564C51556AD325F03A369E4C8F4622B4DC5B06865 (secure)
>
> Best regards, Wouter
>
>> $ ./drill_TLSA elstel.com
>> _443._tcp.elstel.com. 3600 IN TLSA 3 0 1 a8edf0cacaf776acacdfe53564c51556ad325f03a369e4c8f4622b4dc5b06865
>>
>> $ ./dig_TLSA elstel.com
>> ns name: 198.41.0.4
>> ns name: 199.9.14.201
>> ns name: 192.33.4.12
>> ns name: 199.7.91.13
>> ns name: 192.203.230.10
>> ns name: 192.5.5.241
>> ns name: 192.112.36.4
>> ns name: 198.97.190.53
>> ns name: 192.36.148.17
>> ns name: 192.58.128.30
>> ns name: 193.0.14.129
>> ns name: 199.7.83.42
>> ns name: 202.12.27.33
>>
>> Launch a query to find a RRset of type TLSA for zone:
>> _443._tcp.elstel.com with nameservers:
>> . 518400 IN NS a.root-servers.net.
>> . 518400 IN NS b.root-servers.net.
>> . 518400 IN NS c.root-servers.net.
>> . 518400 IN NS d.root-servers.net.
>> . 518400 IN NS e.root-servers.net.
>> . 518400 IN NS f.root-servers.net.
>> . 518400 IN NS g.root-servers.net.
>> . 518400 IN NS h.root-servers.net.
>> . 518400 IN NS i.root-servers.net.
>> . 518400 IN NS j.root-servers.net.
>> . 518400 IN NS k.root-servers.net.
>> . 518400 IN NS l.root-servers.net.
>> . 518400 IN NS m.root-servers.net.
>>
>> no response but there is a delegation in authority section:com.
>>
>>
>> Launch a query to find a RRset of type DNSKEY for zone: .
>>
>> ;; DNSKEYset:
>> . 172800 IN DNSKEY 257 3 8
>> AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
>> +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
>> ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
>> 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
>> oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
>> RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
>> . 172800 IN DNSKEY 256 3 8
>> AwEAAeN+h0loXPKt7lFdW2zKIDkVHyJ1aYGUVE1dMNBlRH3kTn40JKcH
>> iPOs+fy0OFVCBwoKa1s9qZtdyP1UC0hgKoldj3oELK1yLI5MUbTMcNkW
>> bBMRuxRz/CgZJu3IxcmuZWZMbn4LQDMj5YeiUiuWns5vipFGWWpyPyoz
>> QXmenSWOK2GJOwcm7I/DyHVtVdztTvqiHqzy2aRoxwPhmEuAoYzzuNJJ
>> w6JNEnXaN/7l2TIciskFyPVPBFZYHnk+1ma906dfehIR190z3lh1ZESL
>> 2Yy3VIE2QGpRU6Px4ydH5sXxZ2wSMgqNNga4kjnfM1msBqk3EI48RvTT kuV0yb1eFuU=
>>
>>
>> ;; RRSIG of the DNSKEYset:
>> . 172800 IN RRSIG DNSKEY 8 0 172800 20200221000000 20200131000000
>> 20326 . a90QZixKr3vHcfbornzE7Dl/z75m1+OnTI3qdU2misnifW9xv/ja4uoq
>> ixo59yPLBFRYmQDZntId14xcz/sZbo6XSzhJ2EaSm5WBotq9d1K9LaSa
>> tD1IYLoLKPfhxVcgo0fqz6h8Cdrzb/nHeo4xn/dm+RK03Wcx8n0UPc/Q
>> iXiHsf6uFAjarWm3PrJi0iRhXPKxfjgqbRhJy2knmAM04ZUimN2gpSz2
>> Oc23CsO/JD2hAO/x8b+TgtD9D/Y4Twa1kIeVbdxHNxJOY0x9/H4UbcHv
>> /iFcyB4CLp18QC8ZDBJpIR1EAvCZNTQ3xkeYDiP5nIMn5z4h+eaK4hE6 VqwcfA==
>>
>>
>> ;; chain of trust can't be validated: FAILED
>>
>> ;; cleanandgo
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: atea-0.3.tar.bz2
Type: application/x-bzip
Size: 17282 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20200212/d9eb75c1/attachment-0001.bin>
More information about the Unbound-users
mailing list