From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from eyas.biff.org.uk (eyas.biff.org.uk [IPv6:2001:41c8:1:519c::20]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id AA67E201299 for ; Mon, 10 Feb 2014 09:12:28 -0800 (PST) Received: from cl-1441.lon-02.gb.sixxs.net ([2a01:348:6:5a0::2]:48945 helo=central.thekelleys.org.uk) by eyas.biff.org.uk with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from ) id 1WCuPC-00016i-RR; Mon, 10 Feb 2014 17:12:26 +0000 Received: from spike.thekelleys.org.uk ([192.168.0.193]) by central.thekelleys.org.uk with esmtpa (Exim 4.72) (envelope-from ) id 1WCuPB-00022n-Tu; Mon, 10 Feb 2014 17:12:26 +0000 Message-ID: <52F90879.6090101@thekelleys.org.uk> Date: Mon, 10 Feb 2014 17:12:25 +0000 From: Simon Kelley User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120726 Icedove/3.0.11 MIME-Version: 1.0 To: =?ISO-8859-1?Q?Toke_H=F8iland-J=F8rgensen?= References: <87a9e6xcae.fsf@alrua-x1.kau.toke.dk> <87ob2lmqny.fsf@toke.dk> <52F29645.6010001@thekelleys.org.uk> <874n4dwcdb.fsf@alrua-x1.kau.toke.dk> <52F2BA80.9010202@thekelleys.org.uk> <87iossvgw4.fsf@alrua-x1.kau.toke.dk> <52F369AA.5060809@thekelleys.org.uk> <8761osv78r.fsf@alrua-x1.kau.toke.dk> <52F371B3.5030406@thekelleys.org.uk> <87k3d8mna8.fsf@toke.dk> <52F3A3B2.8020201@thekelleys.org.uk> <87ppmw7ajj.fsf@toke.dk> <52F77349.40305@thekelleys.org.uk> <87lhxk78pa.fsf@toke.dk> <52F7EC3C.4060505@thekelleys.org.uk> <87bnyg55tp.fsf@toke.dk> <52F8BA64.2050401@thekelleys.org.uk> <871tzbgm36.fsf@toke.dk> <52F9023B.50504@thekelleys.org.uk> <878utinbsg.fsf@toke.dk> In-Reply-To: <878utinbsg.fsf@toke.dk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC. X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Feb 2014 17:12:29 -0000 On 10/02/14 16:59, Toke Høiland-Jørgensen wrote: > Simon Kelley writes: > >> OK. Fix (I think), in git now. Please could you test? (A byte-order problem, >> inevitably). > > Yay, seems to work: > > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: query[A] files.toke.dk from 10.42.0.7 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk to 213.80.98.3 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DNSKEY] toke.dk to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DS] toke.dk to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DNSKEY] dk to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DS] dk to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DS keytag 26887 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY keytag 26887 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY keytag 7665 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY keytag 61294 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY keytag 31369 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply toke.dk is DS keytag 65122 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply toke.dk is DNSKEY keytag 65122 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply toke.dk is DNSKEY keytag 22551 > Mon Feb 10 17:55:47 2014 daemon.err dnsmasq[11296]: Unexpected missing data for DNSSEC validation > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: validation result is INSECURE > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply files.toke.dk is > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply web2.tohojo.dk is 144.76.141.113 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: query[AAAA] files.toke.dk from 10.42.0.7 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: cached files.toke.dk is > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DNSKEY] tohojo.dk to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DS] tohojo.dk to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply tohojo.dk is DS keytag 49471 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply tohojo.dk is DNSKEY keytag 49471 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply tohojo.dk is DNSKEY keytag 30141 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: validation result is SECURE > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply files.toke.dk is > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply web2.tohojo.dk is 2a01:4f8:200:3141::102 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: query[MX] files.toke.dk from 10.42.0.7 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: validation result is SECURE > > > Dunno why it starts out insecure (?), but seems to get to the right > place. I do. It's not a platform specific problem, and requires me to go away and do some more thinking..... Later. Simon. > > Can also do sigchase: > > $ dig +sigchase files.toke.dk @10.42.0.8 > ...snip... > > > Launch a query to find a RRset of type DS for zone: . > ;; NO ANSWERS: no more > > ;; WARNING There is no DS for the zone: . > > > > ;; WE HAVE MATERIAL, WE NOW DO VALIDATION > ;; VERIFYING DS RRset for dk. with DNSKEY:33655: success > ;; OK We found DNSKEY (or more) to validate the RRset > ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036 > ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success > > ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS > > > > But not +trace: > > $ dig +trace +sigchase files.toke.dk @10.42.0.8 > > ;<<>> DiG 9.9.2-P2<<>> +trace +sigchase files.toke.dk @10.42.0.8 > ;; global options: +cmd > . 86891 IN NS d.root-servers.net. > . 86891 IN NS l.root-servers.net. > . 86891 IN NS h.root-servers.net. > . 86891 IN NS j.root-servers.net. > . 86891 IN NS b.root-servers.net. > . 86891 IN NS m.root-servers.net. > . 86891 IN NS k.root-servers.net. > . 86891 IN NS f.root-servers.net. > . 86891 IN NS e.root-servers.net. > . 86891 IN NS g.root-servers.net. > . 86891 IN NS a.root-servers.net. > . 86891 IN NS c.root-servers.net. > . 86891 IN NS i.root-servers.net. > . 325955 IN RRSIG NS 8 0 518400 20140215000000 20140207230000 33655 . cZOSrkiewfX+HdA2covOiYL+Z8xgBoCpJm4VZq083M51CvIFBipG1/BO JYYiRzmpQJN/l6FI5RBKmDVFq/RqkVineoIYrsIZL9RRcAF+phPO+kHU YU3ckdHZroDZCu1QUPd+Kr6Y8+9GBH8wYM++0Z6tLRA+iZXbNOadfZ9o euU= > dk. 172800 IN NS l.nic.dk. > dk. 172800 IN NS p.nic.dk. > dk. 172800 IN NS s.nic.dk. > dk. 172800 IN NS b.nic.dk. > dk. 172800 IN NS c.nic.dk. > dk. 172800 IN NS a.nic.dk. > dk. 86400 IN DS 26887 8 2 A1AB8546B80E438A7DFE0EC559A7088EC5AED3C4E0D26B1B60ED3735 F853DFD7 > dk. 86400 IN RRSIG DS 8 1 86400 20140217000000 20140209230000 33655 . aK1OgJzktVeo2i83KdOig62wyqkxcQmbbQePi4T7zI4OhPzI5LMz9kbS W/V7bOgNBfYBjDJg4JEYIAC0esCrGPtbAsKQ7YrKiZikNAhlD/BgTvtD JQJxc+7f4xUa6Y7/9DBKmG8Du+DftF99RngT/hCgr9hZme9YkvtGaEyo CZI= > toke.dk. 86400 IN NS ns2.gratisdns.dk. > toke.dk. 86400 IN NS ns1.gratisdns.dk. > toke.dk. 86400 IN NS ns4.gratisdns.dk. > toke.dk. 86400 IN NS ns5.gratisdns.dk. > toke.dk. 86400 IN NS ns3.gratisdns.dk. > toke.dk. 86400 IN DS 65122 5 1 A6FEBBA66365D55C97F8671688AD52883AB582A6 > toke.dk. 86400 IN RRSIG DS 8 2 86400 20140308183226 20140208200232 61294 dk. thrq3zR+toPNxDln/H/qWBJbjkNK8/NosI6oriQBPXzzcd6HzOdg7l67 kbmje94nwOysKIMCz/YiNjmnEfa7X0NorTZ+e3HOyTRG+NpyQoywgxvj TAFDGuu8hsussW+ohheb0efhX4/0YSamSsSBeAImPYWTdUQY10U0sXDq BCE= > files.toke.dk. 43200 IN CNAME web2.tohojo.dk. > files.toke.dk. 43200 IN RRSIG CNAME 5 3 43200 20140311112400 20140209112400 22551 toke.dk. ObiMhHqVUSxsje4979EzuiDoCt7z1r1Gl946gmY9ZDe7Es+7jg1l7m8/ vyVhPDRxqNxEAsTmFXF6mkwKkK60ag== > ;; RRset to chase: > files.toke.dk. 43200 IN CNAME web2.tohojo.dk. > > > ;; RRSIG of the RRset to chase: > files.toke.dk. 43200 IN RRSIG CNAME 5 3 43200 20140311112400 20140209112400 22551 toke.dk. ObiMhHqVUSxsje4979EzuiDoCt7z1r1Gl946gmY9ZDe7Es+7jg1l7m8/ vyVhPDRxqNxEAsTmFXF6mkwKkK60ag== > > > > Launch a query to find a RRset of type DNSKEY for zone: toke.dk. > toke.dk. 43200 IN DNSKEY 256 3 5 AwEAAaYKHaUARHUtPhVTEC6vTc0SR142BVj1P/wtgCjacCkGDN5wB6Cm Y0xEwUl+NuT9btz0xQmDGOMJEKunK+HpOh0= > toke.dk. 43200 IN DNSKEY 257 3 5 AwEAAdV59e0KX1JymujkIbzikKCEVSExW3ixJ81hiboCHSvZv+LlMxlG sWT6uJrcEOENF+fZnDcl3u0WRgd3ctv9d40= > toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 20140311112400 20140209112400 22551 toke.dk. CzZARTabg0VR00Ksv0Uz+qRqRvl06fTTZHa0k17Ccg7JdrvsnZ5DgJKy dhM7j3Rb4LHfZbcoTXXABICCvSQnoQ== > toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 20140311112400 20140209112400 65122 toke.dk. Q9OqTdh4s3aGn9ExkTnYwPk8j+V9cTjEjLGXD8zY5l0HewORrqJT5Ebn R0YvK/xH/2XLnueAZ/q8khlSfjhFzA== > > ;; DNSKEYset that signs the RRset to chase: > toke.dk. 43200 IN DNSKEY 256 3 5 AwEAAaYKHaUARHUtPhVTEC6vTc0SR142BVj1P/wtgCjacCkGDN5wB6Cm Y0xEwUl+NuT9btz0xQmDGOMJEKunK+HpOh0= > toke.dk. 43200 IN DNSKEY 257 3 5 AwEAAdV59e0KX1JymujkIbzikKCEVSExW3ixJ81hiboCHSvZv+LlMxlG sWT6uJrcEOENF+fZnDcl3u0WRgd3ctv9d40= > > > ;; RRSIG of the DNSKEYset that signs the RRset to chase: > toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 20140311112400 20140209112400 22551 toke.dk. CzZARTabg0VR00Ksv0Uz+qRqRvl06fTTZHa0k17Ccg7JdrvsnZ5DgJKy dhM7j3Rb4LHfZbcoTXXABICCvSQnoQ== > toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 20140311112400 20140209112400 65122 toke.dk. Q9OqTdh4s3aGn9ExkTnYwPk8j+V9cTjEjLGXD8zY5l0HewORrqJT5Ebn R0YvK/xH/2XLnueAZ/q8khlSfjhFzA== > > > ;; DSset of the DNSKEYset > toke.dk. 86400 IN DS 65122 5 1 A6FEBBA66365D55C97F8671688AD52883AB582A6 > > > ;; RRSIG of the DSset of the DNSKEYset > toke.dk. 86400 IN RRSIG DS 8 2 86400 20140308183226 20140208200232 61294 dk. thrq3zR+toPNxDln/H/qWBJbjkNK8/NosI6oriQBPXzzcd6HzOdg7l67 kbmje94nwOysKIMCz/YiNjmnEfa7X0NorTZ+e3HOyTRG+NpyQoywgxvj TAFDGuu8hsussW+ohheb0efhX4/0YSamSsSBeAImPYWTdUQY10U0sXDq BCE= > > > > > ;; WE HAVE MATERIAL, WE NOW DO VALIDATION > ;; VERIFYING CNAME RRset for files.toke.dk. with DNSKEY:22551: success > ;; OK We found DNSKEY (or more) to validate the RRset > ;; Now, we are going to validate this DNSKEY by the DS > ;; OK a DS valids a DNSKEY in the RRset > ;; Now verify that this DNSKEY validates the DNSKEY RRset > ;; VERIFYING DNSKEY RRset for toke.dk. with DNSKEY:65122: success > ;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, thus the DNSKEY validates the RRset > ;; Now, we want to validate the DS : recursive call > > > Launch a query to find a RRset of type DNSKEY for zone: dk. > ;; NO ANSWERS: no more > > ;; DNSKEY is missing to continue validation: FAILED > > > -Toke