retrieve TLSA record also if it is not secured by DNSSEC

Elmar Stellnberger estellnb at gmail.com
Wed Feb 12 16:46:16 UTC 2020 

The tool can from now on also be downloaded from 
https://www.elstel.org/DANE/ or https://www.elstel.org/atea/.

I am looking forward to hear from your experience with the tool. F.i. it 
should be useful to download the SHA512SUMS from cdimage.debian.org. 
Downloading various programs as well as the gpg key from elstel.org is 
also supported.


Am 12.02.20 um 15:53 schrieb Elmar Stellnberger:
>   No, I am not using drill, I am using a new tool called atea (see 
> attachement). I have not finished its development but you can already 
> download via DANE/libunbound:
>
> ./atea tii https://www.elstel.org/software/SHA512SUMS
>
> ./atea tii https://www.elstel.com/software/SHA512SUMS
>
>   Yesterday the first command succeeded while the second one returned 
> "no data". However today the NSA is terrorizing the development of the 
> tool and it can no more establish an internet connection at all:
>
> > ./mk atea.c tii https://www.elstel.org/software/SHA512SUMS
> error trying to connect tcp socket to address: Network is unreachable
> error trying to connect tcp socket to address: Invalid argument
>
>   The exactly same program has worked yesterday so it can't be a 
> programming error, at least to my believe.
>
> Please test the tool on your own and tell me about the results!
>
> Elmar
>
>
> Am 12.02.20 um 13:33 schrieb Wouter Wijngaards via Unbound-users:
>> Hi Elmar,
>>
>> On 11/02/2020 14:51, Elmar Stellnberger via Unbound-users wrote:
>>>    Currently libunbound returns no data if no correct RRSIG can be 
>>> found
>>> as is currently the case for the domain elstel.com.
>>> Would anyone mind to change libunbound so that it returns the existent
>>> TLSA record as insecure data?
>> What you are using is drill.  This is not libunbound.
>>
>> Libunbound returns the data always, but signals security and insecurity
>> with flags in the result structure.
>> https://www.nlnetlabs.nl/documentation/unbound/libunbound/
>>
>> You seem to be talking about wanting drills sigchase printout to print
>> different output for output with wrong RRSIGs?  Sounds like a change for
>> the ldns package.  Not sure if that is better debug output for that 
>> tool.
>>
>> unbound-host can also perform lookups, also of type TLSA and print them,
>> and DNSSEC verify them.  And prints the verification output together
>> with the data, which may be what you want.  unbound-host uses libunbound
>> for that.
>>
>> $ unbound-host -v -f root.key -t TLSA _443._tcp.elstel.com
>> _443._tcp.elstel.com has TLSA record 3 0 1
>> A8EDF0CACAF776ACACDFE53564C51556AD325F03A369E4C8F4622B4DC5B06865 
>> (secure)
>>
>> Best regards, Wouter
>>
>>> $ ./drill_TLSA elstel.com
>>> _443._tcp.elstel.com.    3600    IN    TLSA    3 0 1 
>>> a8edf0cacaf776acacdfe53564c51556ad325f03a369e4c8f4622b4dc5b06865
>>>
>>> $ ./dig_TLSA elstel.com
>>> ns name: 198.41.0.4
>>> ns name: 199.9.14.201
>>> ns name: 192.33.4.12
>>> ns name: 199.7.91.13
>>> ns name: 192.203.230.10
>>> ns name: 192.5.5.241
>>> ns name: 192.112.36.4
>>> ns name: 198.97.190.53
>>> ns name: 192.36.148.17
>>> ns name: 192.58.128.30
>>> ns name: 193.0.14.129
>>> ns name: 199.7.83.42
>>> ns name: 202.12.27.33
>>>
>>> Launch a query to find a RRset of type TLSA for zone:
>>> _443._tcp.elstel.com with nameservers:
>>> .   518400 IN NS a.root-servers.net.
>>> .   518400 IN NS b.root-servers.net.
>>> .   518400 IN NS c.root-servers.net.
>>> .   518400 IN NS d.root-servers.net.
>>> .   518400 IN NS e.root-servers.net.
>>> .   518400 IN NS f.root-servers.net.
>>> .   518400 IN NS g.root-servers.net.
>>> .   518400 IN NS h.root-servers.net.
>>> .   518400 IN NS i.root-servers.net.
>>> .   518400 IN NS j.root-servers.net.
>>> .   518400 IN NS k.root-servers.net.
>>> .   518400 IN NS l.root-servers.net.
>>> .   518400 IN NS m.root-servers.net.
>>>
>>> no response but there is a delegation in authority section:com.
>>>
>>>
>>> Launch a query to find a RRset of type DNSKEY for zone: .
>>>
>>> ;; DNSKEYset:
>>> .   172800 IN DNSKEY 257 3 8
>>> AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
>>> +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
>>> ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
>>> 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
>>> oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
>>> RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
>>> .   172800 IN DNSKEY 256 3 8
>>> AwEAAeN+h0loXPKt7lFdW2zKIDkVHyJ1aYGUVE1dMNBlRH3kTn40JKcH
>>> iPOs+fy0OFVCBwoKa1s9qZtdyP1UC0hgKoldj3oELK1yLI5MUbTMcNkW
>>> bBMRuxRz/CgZJu3IxcmuZWZMbn4LQDMj5YeiUiuWns5vipFGWWpyPyoz
>>> QXmenSWOK2GJOwcm7I/DyHVtVdztTvqiHqzy2aRoxwPhmEuAoYzzuNJJ
>>> w6JNEnXaN/7l2TIciskFyPVPBFZYHnk+1ma906dfehIR190z3lh1ZESL
>>> 2Yy3VIE2QGpRU6Px4ydH5sXxZ2wSMgqNNga4kjnfM1msBqk3EI48RvTT kuV0yb1eFuU=
>>>
>>>
>>> ;; RRSIG of the DNSKEYset:
>>> .   172800 IN RRSIG DNSKEY 8 0 172800 20200221000000 20200131000000
>>> 20326 . a90QZixKr3vHcfbornzE7Dl/z75m1+OnTI3qdU2misnifW9xv/ja4uoq
>>> ixo59yPLBFRYmQDZntId14xcz/sZbo6XSzhJ2EaSm5WBotq9d1K9LaSa
>>> tD1IYLoLKPfhxVcgo0fqz6h8Cdrzb/nHeo4xn/dm+RK03Wcx8n0UPc/Q
>>> iXiHsf6uFAjarWm3PrJi0iRhXPKxfjgqbRhJy2knmAM04ZUimN2gpSz2
>>> Oc23CsO/JD2hAO/x8b+TgtD9D/Y4Twa1kIeVbdxHNxJOY0x9/H4UbcHv
>>> /iFcyB4CLp18QC8ZDBJpIR1EAvCZNTQ3xkeYDiP5nIMn5z4h+eaK4hE6 VqwcfA==
>>>
>>>
>>> ;; chain of trust can't be validated: FAILED
>>>
>>> ;; cleanandgo
>>>

More information about the Unbound-users mailing list