Unusual behavior of drill -S
T.Suzuki
tss at reflection.co.jp
Sun Sep 19 18:52:57 UTC 2021
Hi.
Currently, drill -S often fails to track signatures.
It is back to normal with 1.1.1.1.
It is the anomaly persists with 8.8.8.8 and 9.9.9.9 now.
What is it?
% drill -t -k /usr/local/etc/unbound/root.key -S . soa @8.8.8.8
;; Number of trusted keys: 1
;; Chasing: . SOA
DNSSEC Trust tree:
. (SOA)
|---. (DNSKEY keytag: 26838 alg: 8 flags: 256)
|---Bogus DNSSEC signature:
. 62190 IN RRSIG DNSKEY 8 0 172800 20210930000000 20210909000000 20326 . GIveMHf2/xg4SncDbJbRelG4iYJLRF5SuIaJTb0BajdPCA+1KYJRcpbYWERDNgmo9hralc+z0+wLVL+CXkAUW1RuIboqDeHedtI2Kn9NdIIPRKy1r/QQJMieKL2m+ZpSlzC/YuJUInhmiNxIrO+bfQAcnlOAdhVsGOeON7iVielAm95MuQJNX9ySPMSVAiFFkMCSMo+x7YNEB7x3xUl3MqXfMoWakj6ZguISAeVj6IHzwBQU7h5jEtDF4STYcPayZcKzoZ4jyY91U03OP0dry51krrXyQyCvlYJ3kycshl+6xvXLAp/OZyL2EDX9u0bvf0x1wauIoqtBSAdDHZb4Bg==
For RRset:
. 78934 IN DNSKEY 256 3 8 AwEAAY+oUaY0b7Z45vRD1ef/GykZqgHJtfdzRcnQNvGVQAqlH22QChtG+n1EMugw7T/6uDBAGlRIkXASdtHXhxStb9lPpyQe5/JIuMIlg+NhxKxEJ5e3J9SSPCavvDhH/BPrBCJwn8b68QAWRjVW6Rgdx63pUm7lfsimiWGMfplHNvcZWgVbKA9OI2o2lU8rT8n7zuwtlZPNpDLSI5GzrJgIiKR2Id16fmAgTJBOw14Xye/t4/BxTdxeMiiVFwA4KUV2VeqspHKSHFOz+lUIIqBRknEmYpSvnxnyi0n1n4tGnGP8z6ZwRACi1Rw0nCu7BGOU9M6LpInRoW/W4KXLODr6xqU= ;{id = 14748 (zsk), size = 2048b}
. 78934 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
. 78934 IN DNSKEY 256 3 8 AwEAAbDEyqdwu2fqAwinPCFwALUCWfYYaLrNhnOrMxDorLBYMipEE1btlK1XnigTRMeb0YQ8/LCopb3CN73hYDhCHFsNk+GtukBB+gWLcg+2FZXbhLXIheQm8x2VfOHy2yYQG+18wjx3HY9Mj/ZEhXbZNrDMvpFKKVihWXa0/cHNg4ZcIHD9KkMlKzK+my1K/vz8fq5cFCFOu7wgM+kKbOikdcRBm7Uf/wRXZItFg2uhUijUb56gEN8uCUgmuEw6wQ5ZBuR7UT/FLyyAUeAH87oxF4im2DXK6J+JA7IAs2UHJ16uTqvdserUU8NIosislaXIZCvz+NTDb3SJcxs6bvCikeU= ;{id = 26838 (zsk), size = 2048b}
With key:
. 78934 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
|---. (DNSKEY keytag: 20326 alg: 8 flags: 257)
No trusted keys found in tree: first error was: Bogus DNSSEC signature
;; Chase failed.
% cat /usr/local/etc/unbound/root.key
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1632066715 ;;Mon Sep 20 00:51:55 2021
;;last_success: 1632066715 ;;Mon Sep 20 00:51:55 2021
;;next_probe_time: 1632107082 ;;Mon Sep 20 12:04:42 2021
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
. 86400 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1579485351 ;;Mon Jan 20 10:55:51 2020
--
------------------------------------------------------------------------------
T.Suzuki
More information about the Unbound-users
mailing list