retrieve TLSA record also if it is not secured by DNSSEC

Elmar Stellnberger estellnb at gmail.com
Wed Feb 12 17:08:48 UTC 2020


The program works. I have not changed it since tomorrow.

Am 12.02.20 um 17:46 schrieb Elmar Stellnberger:
> The tool can from now on also be downloaded from 
> https://www.elstel.org/DANE/ or https://www.elstel.org/atea/.
>
> I am looking forward to hear from your experience with the tool. F.i. 
> it should be useful to download the SHA512SUMS from 
> cdimage.debian.org. Downloading various programs as well as the gpg 
> key from elstel.org is also supported.
>
>
> Am 12.02.20 um 15:53 schrieb Elmar Stellnberger:
>>   No, I am not using drill, I am using a new tool called atea (see 
>> attachement). I have not finished its development but you can already 
>> download via DANE/libunbound:
>>
>> ./atea tii https://www.elstel.org/software/SHA512SUMS
>>
>> ./atea tii https://www.elstel.com/software/SHA512SUMS
>>
>>   Yesterday the first command succeeded while the second one returned 
>> "no data". However today the NSA is terrorizing the development of 
>> the tool and it can no more establish an internet connection at all:
>>
>> > ./mk atea.c tii https://www.elstel.org/software/SHA512SUMS
>> error trying to connect tcp socket to address: Network is unreachable
>> error trying to connect tcp socket to address: Invalid argument
>>
>>   The exactly same program has worked yesterday so it can't be a 
>> programming error, at least to my believe.
>>
>> Please test the tool on your own and tell me about the results!
>>
>> Elmar
>>
>>
>> Am 12.02.20 um 13:33 schrieb Wouter Wijngaards via Unbound-users:
>>> Hi Elmar,
>>>
>>> On 11/02/2020 14:51, Elmar Stellnberger via Unbound-users wrote:
>>>>    Currently libunbound returns no data if no correct RRSIG can be 
>>>> found
>>>> as is currently the case for the domain elstel.com.
>>>> Would anyone mind to change libunbound so that it returns the existent
>>>> TLSA record as insecure data?
>>> What you are using is drill.  This is not libunbound.
>>>
>>> Libunbound returns the data always, but signals security and insecurity
>>> with flags in the result structure.
>>> https://www.nlnetlabs.nl/documentation/unbound/libunbound/
>>>
>>> You seem to be talking about wanting drills sigchase printout to print
>>> different output for output with wrong RRSIGs?  Sounds like a change 
>>> for
>>> the ldns package.  Not sure if that is better debug output for that 
>>> tool.
>>>
>>> unbound-host can also perform lookups, also of type TLSA and print 
>>> them,
>>> and DNSSEC verify them.  And prints the verification output together
>>> with the data, which may be what you want.  unbound-host uses 
>>> libunbound
>>> for that.
>>>
>>> $ unbound-host -v -f root.key -t TLSA _443._tcp.elstel.com
>>> _443._tcp.elstel.com has TLSA record 3 0 1
>>> A8EDF0CACAF776ACACDFE53564C51556AD325F03A369E4C8F4622B4DC5B06865 
>>> (secure)
>>>
>>> Best regards, Wouter
>>>
>>>> $ ./drill_TLSA elstel.com
>>>> _443._tcp.elstel.com.    3600    IN    TLSA    3 0 1 
>>>> a8edf0cacaf776acacdfe53564c51556ad325f03a369e4c8f4622b4dc5b06865
>>>>
>>>> $ ./dig_TLSA elstel.com
>>>> ns name: 198.41.0.4
>>>> ns name: 199.9.14.201
>>>> ns name: 192.33.4.12
>>>> ns name: 199.7.91.13
>>>> ns name: 192.203.230.10
>>>> ns name: 192.5.5.241
>>>> ns name: 192.112.36.4
>>>> ns name: 198.97.190.53
>>>> ns name: 192.36.148.17
>>>> ns name: 192.58.128.30
>>>> ns name: 193.0.14.129
>>>> ns name: 199.7.83.42
>>>> ns name: 202.12.27.33
>>>>
>>>> Launch a query to find a RRset of type TLSA for zone:
>>>> _443._tcp.elstel.com with nameservers:
>>>> .   518400 IN NS a.root-servers.net.
>>>> .   518400 IN NS b.root-servers.net.
>>>> .   518400 IN NS c.root-servers.net.
>>>> .   518400 IN NS d.root-servers.net.
>>>> .   518400 IN NS e.root-servers.net.
>>>> .   518400 IN NS f.root-servers.net.
>>>> .   518400 IN NS g.root-servers.net.
>>>> .   518400 IN NS h.root-servers.net.
>>>> .   518400 IN NS i.root-servers.net.
>>>> .   518400 IN NS j.root-servers.net.
>>>> .   518400 IN NS k.root-servers.net.
>>>> .   518400 IN NS l.root-servers.net.
>>>> .   518400 IN NS m.root-servers.net.
>>>>
>>>> no response but there is a delegation in authority section:com.
>>>>
>>>>
>>>> Launch a query to find a RRset of type DNSKEY for zone: .
>>>>
>>>> ;; DNSKEYset:
>>>> .   172800 IN DNSKEY 257 3 8
>>>> AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
>>>> +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
>>>> ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
>>>> 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
>>>> oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
>>>> RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
>>>> .   172800 IN DNSKEY 256 3 8
>>>> AwEAAeN+h0loXPKt7lFdW2zKIDkVHyJ1aYGUVE1dMNBlRH3kTn40JKcH
>>>> iPOs+fy0OFVCBwoKa1s9qZtdyP1UC0hgKoldj3oELK1yLI5MUbTMcNkW
>>>> bBMRuxRz/CgZJu3IxcmuZWZMbn4LQDMj5YeiUiuWns5vipFGWWpyPyoz
>>>> QXmenSWOK2GJOwcm7I/DyHVtVdztTvqiHqzy2aRoxwPhmEuAoYzzuNJJ
>>>> w6JNEnXaN/7l2TIciskFyPVPBFZYHnk+1ma906dfehIR190z3lh1ZESL
>>>> 2Yy3VIE2QGpRU6Px4ydH5sXxZ2wSMgqNNga4kjnfM1msBqk3EI48RvTT kuV0yb1eFuU=
>>>>
>>>>
>>>> ;; RRSIG of the DNSKEYset:
>>>> .   172800 IN RRSIG DNSKEY 8 0 172800 20200221000000 20200131000000
>>>> 20326 . a90QZixKr3vHcfbornzE7Dl/z75m1+OnTI3qdU2misnifW9xv/ja4uoq
>>>> ixo59yPLBFRYmQDZntId14xcz/sZbo6XSzhJ2EaSm5WBotq9d1K9LaSa
>>>> tD1IYLoLKPfhxVcgo0fqz6h8Cdrzb/nHeo4xn/dm+RK03Wcx8n0UPc/Q
>>>> iXiHsf6uFAjarWm3PrJi0iRhXPKxfjgqbRhJy2knmAM04ZUimN2gpSz2
>>>> Oc23CsO/JD2hAO/x8b+TgtD9D/Y4Twa1kIeVbdxHNxJOY0x9/H4UbcHv
>>>> /iFcyB4CLp18QC8ZDBJpIR1EAvCZNTQ3xkeYDiP5nIMn5z4h+eaK4hE6 VqwcfA==
>>>>
>>>>
>>>> ;; chain of trust can't be validated: FAILED
>>>>
>>>> ;; cleanandgo
>>>>


More information about the Unbound-users mailing list