From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <simon@thekelleys.org.uk>
Received: from eyas.biff.org.uk (eyas.biff.org.uk [IPv6:2001:41c8:1:519c::20])
	(using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
	(Client did not present a certificate)
	by huchra.bufferbloat.net (Postfix) with ESMTPS id 4006421F1C1
	for <cerowrt-devel@lists.bufferbloat.net>;
	Thu,  6 Feb 2014 06:40:49 -0800 (PST)
Received: from cl-1441.lon-02.gb.sixxs.net ([2a01:348:6:5a0::2]:42360
	helo=central.thekelleys.org.uk)
	by eyas.biff.org.uk with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:256)
	(Exim 4.80) (envelope-from <simon@thekelleys.org.uk>)
	id 1WBQ8F-0002M0-3P; Thu, 06 Feb 2014 14:40:47 +0000
Received: from spike.thekelleys.org.uk ([192.168.0.193])
	by central.thekelleys.org.uk with esmtpa (Exim 4.72)
	(envelope-from <simon@thekelleys.org.uk>)
	id 1WBQ8E-0002MC-FW; Thu, 06 Feb 2014 14:40:46 +0000
Message-ID: <52F39EEE.5010206@thekelleys.org.uk>
Date: Thu, 06 Feb 2014 14:40:46 +0000
From: Simon Kelley <simon@thekelleys.org.uk>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
	rv:1.9.1.16) Gecko/20120726 Icedove/3.0.11
MIME-Version: 1.0
To: =?ISO-8859-1?Q?Toke_H=F8iland-J=F8rgensen?= <toke@toke.dk>
References: <CAA93jw4nAzXdgRq34SXssOBS_F0Jh8qfLVRMj9_0h3jv3OUrUA@mail.gmail.com>	<87a9e6xcae.fsf@alrua-x1.kau.toke.dk>
	<87ob2lmqny.fsf@toke.dk>	<52F29645.6010001@thekelleys.org.uk>	<874n4dwcdb.fsf@alrua-x1.kau.toke.dk>	<52F2BA80.9010202@thekelleys.org.uk>	<87iossvgw4.fsf@alrua-x1.kau.toke.dk>	<52F369AA.5060809@thekelleys.org.uk>	<8761osv78r.fsf@alrua-x1.kau.toke.dk>	<52F371B3.5030406@thekelleys.org.uk>
	<87bnykmk6e.fsf@toke.dk>
In-Reply-To: <87bnykmk6e.fsf@toke.dk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Cc: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 14:40:49 -0000

On 06/02/14 13:42, Toke Høiland-Jørgensen wrote:
> Simon Kelley<simon@thekelleys.org.uk>  writes:
>
>> Otherwise, just the usual stuff, crashes, infinite loops, wrong
>> answers. "internal error" log entries.
>
> Right, another data point: got an invalid signature:
>
> dnsmasq[21893]: query[A] www.tcpdump.org from 127.0.0.1
> dnsmasq[21893]: forwarded www.tcpdump.org to 127.0.0.1
> dnsmasq[21893]: validation result is BOGUS dnsmasq[21893]: reply
> www.tcpdump.org is 69.4.231.52 dnsmasq[21893]: reply www.tcpdump.org
> is 132.213.238.6
>
> Seems to be correct, though:
>
> $ dig +trace +dnssec +sigchase www.tcpdump.org ...snip...
>
> ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING A RRset for
> www.tcpdump.org. with DNSKEY:20163: RRSIG has expired ;; No DNSKEY is
> valid to check the RRSIG of the RRset: FAILED
>
> Turning on dnssec-debug also "helps":
>
> $ host www.tcpdump.org www.tcpdump.org has address 69.4.231.52
> www.tcpdump.org has address 132.213.238.6 www.tcpdump.org has RRSIG
> record A 5 3 60 20131226232352 20131126222352 20163 tcpdump.org.
                                  ^^^^^^^^^^^^^^
> iyzWHZ5I6wkK6uZrmNg22SZnP2JKHN1LSE9Vo+PE3J1tbA9cPcVlas3v
> O8PtAGjzjP/TnGRaBSbni+Bwr6GJMRT1+S1Fw1aBCeTyioRmDPP0WS48
> K6WULn5Mf35KNqzpHb+1YcvP2MeSp5oMVv3uFUjONlt7RqPHVTgfnR1L zy8=
> www.tcpdump.org has IPv6 address 2607:f0d0:3001:62:1::52
> www.tcpdump.org has IPv6 address 2001:4830:116e:2::6 www.tcpdump.org
> has RRSIG record AAAA 5 3 60 20131226232352 20131126222352 20163
                                               ^^^^^^^^^^^^^^
> tcpdump.org. L71XIeQLyVmZf4eXbBvefojm8qYhc/xAXR3S28pKBdeUgXl1DfePO8Il
> lUZhAXowKAw8H1529AglgW8HGAiJGwzoVefYz+GnZCg2N6AWoYM4gxve
> XwPtCDx51FAKkINkMX1XGqUIIX6Bq26RPcth0JSVCA+Fy+29ZxeitN36 sBk=
>

In case it's not obvious, yes, the sig(s) have expired.


Cheers,

Simon.

>
> -Toke