From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: Simon Kelley <simon@thekelleys.org.uk>
Cc: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.
Date: Mon, 10 Feb 2014 17:59:59 +0100 [thread overview]
Message-ID: <878utinbsg.fsf@toke.dk> (raw)
In-Reply-To: <52F9023B.50504@thekelleys.org.uk> (Simon Kelley's message of "Mon, 10 Feb 2014 16:45:47 +0000")
[-- Attachment #1: Type: text/plain, Size: 8651 bytes --]
Simon Kelley <simon@thekelleys.org.uk> writes:
> OK. Fix (I think), in git now. Please could you test? (A byte-order problem,
> inevitably).
Yay, seems to work:
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: query[A] files.toke.dk from 10.42.0.7
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk to 213.80.98.3
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk to 213.80.98.2
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DNSKEY] toke.dk to 213.80.98.2
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DS] toke.dk to 213.80.98.2
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DNSKEY] dk to 213.80.98.2
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DS] dk to 213.80.98.2
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DS keytag 26887
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY keytag 26887
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY keytag 7665
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY keytag 61294
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY keytag 31369
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply toke.dk is DS keytag 65122
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply toke.dk is DNSKEY keytag 65122
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply toke.dk is DNSKEY keytag 22551
Mon Feb 10 17:55:47 2014 daemon.err dnsmasq[11296]: Unexpected missing data for DNSSEC validation
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: validation result is INSECURE
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply files.toke.dk is <CNAME>
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply web2.tohojo.dk is 144.76.141.113
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: query[AAAA] files.toke.dk from 10.42.0.7
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: cached files.toke.dk is <CNAME>
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk to 213.80.98.2
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DNSKEY] tohojo.dk to 213.80.98.2
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DS] tohojo.dk to 213.80.98.2
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply tohojo.dk is DS keytag 49471
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply tohojo.dk is DNSKEY keytag 49471
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply tohojo.dk is DNSKEY keytag 30141
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: validation result is SECURE
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply files.toke.dk is <CNAME>
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply web2.tohojo.dk is 2a01:4f8:200:3141::102
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: query[MX] files.toke.dk from 10.42.0.7
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk to 213.80.98.2
Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: validation result is SECURE
Dunno why it starts out insecure (?), but seems to get to the right
place.
Can also do sigchase:
$ dig +sigchase files.toke.dk @10.42.0.8
...snip...
Launch a query to find a RRset of type DS for zone: .
;; NO ANSWERS: no more
;; WARNING There is no DS for the zone: .
;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; VERIFYING DS RRset for dk. with DNSKEY:33655: success
;; OK We found DNSKEY (or more) to validate the RRset
;; Ok, find a Trusted Key in the DNSKEY RRset: 19036
;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success
;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS
But not +trace:
$ dig +trace +sigchase files.toke.dk @10.42.0.8
; <<>> DiG 9.9.2-P2 <<>> +trace +sigchase files.toke.dk @10.42.0.8
;; global options: +cmd
. 86891 IN NS d.root-servers.net.
. 86891 IN NS l.root-servers.net.
. 86891 IN NS h.root-servers.net.
. 86891 IN NS j.root-servers.net.
. 86891 IN NS b.root-servers.net.
. 86891 IN NS m.root-servers.net.
. 86891 IN NS k.root-servers.net.
. 86891 IN NS f.root-servers.net.
. 86891 IN NS e.root-servers.net.
. 86891 IN NS g.root-servers.net.
. 86891 IN NS a.root-servers.net.
. 86891 IN NS c.root-servers.net.
. 86891 IN NS i.root-servers.net.
. 325955 IN RRSIG NS 8 0 518400 20140215000000 20140207230000 33655 . cZOSrkiewfX+HdA2covOiYL+Z8xgBoCpJm4VZq083M51CvIFBipG1/BO JYYiRzmpQJN/l6FI5RBKmDVFq/RqkVineoIYrsIZL9RRcAF+phPO+kHU YU3ckdHZroDZCu1QUPd+Kr6Y8+9GBH8wYM++0Z6tLRA+iZXbNOadfZ9o euU=
dk. 172800 IN NS l.nic.dk.
dk. 172800 IN NS p.nic.dk.
dk. 172800 IN NS s.nic.dk.
dk. 172800 IN NS b.nic.dk.
dk. 172800 IN NS c.nic.dk.
dk. 172800 IN NS a.nic.dk.
dk. 86400 IN DS 26887 8 2 A1AB8546B80E438A7DFE0EC559A7088EC5AED3C4E0D26B1B60ED3735 F853DFD7
dk. 86400 IN RRSIG DS 8 1 86400 20140217000000 20140209230000 33655 . aK1OgJzktVeo2i83KdOig62wyqkxcQmbbQePi4T7zI4OhPzI5LMz9kbS W/V7bOgNBfYBjDJg4JEYIAC0esCrGPtbAsKQ7YrKiZikNAhlD/BgTvtD JQJxc+7f4xUa6Y7/9DBKmG8Du+DftF99RngT/hCgr9hZme9YkvtGaEyo CZI=
toke.dk. 86400 IN NS ns2.gratisdns.dk.
toke.dk. 86400 IN NS ns1.gratisdns.dk.
toke.dk. 86400 IN NS ns4.gratisdns.dk.
toke.dk. 86400 IN NS ns5.gratisdns.dk.
toke.dk. 86400 IN NS ns3.gratisdns.dk.
toke.dk. 86400 IN DS 65122 5 1 A6FEBBA66365D55C97F8671688AD52883AB582A6
toke.dk. 86400 IN RRSIG DS 8 2 86400 20140308183226 20140208200232 61294 dk. thrq3zR+toPNxDln/H/qWBJbjkNK8/NosI6oriQBPXzzcd6HzOdg7l67 kbmje94nwOysKIMCz/YiNjmnEfa7X0NorTZ+e3HOyTRG+NpyQoywgxvj TAFDGuu8hsussW+ohheb0efhX4/0YSamSsSBeAImPYWTdUQY10U0sXDq BCE=
files.toke.dk. 43200 IN CNAME web2.tohojo.dk.
files.toke.dk. 43200 IN RRSIG CNAME 5 3 43200 20140311112400 20140209112400 22551 toke.dk. ObiMhHqVUSxsje4979EzuiDoCt7z1r1Gl946gmY9ZDe7Es+7jg1l7m8/ vyVhPDRxqNxEAsTmFXF6mkwKkK60ag==
;; RRset to chase:
files.toke.dk. 43200 IN CNAME web2.tohojo.dk.
;; RRSIG of the RRset to chase:
files.toke.dk. 43200 IN RRSIG CNAME 5 3 43200 20140311112400 20140209112400 22551 toke.dk. ObiMhHqVUSxsje4979EzuiDoCt7z1r1Gl946gmY9ZDe7Es+7jg1l7m8/ vyVhPDRxqNxEAsTmFXF6mkwKkK60ag==
Launch a query to find a RRset of type DNSKEY for zone: toke.dk.
toke.dk. 43200 IN DNSKEY 256 3 5 AwEAAaYKHaUARHUtPhVTEC6vTc0SR142BVj1P/wtgCjacCkGDN5wB6Cm Y0xEwUl+NuT9btz0xQmDGOMJEKunK+HpOh0=
toke.dk. 43200 IN DNSKEY 257 3 5 AwEAAdV59e0KX1JymujkIbzikKCEVSExW3ixJ81hiboCHSvZv+LlMxlG sWT6uJrcEOENF+fZnDcl3u0WRgd3ctv9d40=
toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 20140311112400 20140209112400 22551 toke.dk. CzZARTabg0VR00Ksv0Uz+qRqRvl06fTTZHa0k17Ccg7JdrvsnZ5DgJKy dhM7j3Rb4LHfZbcoTXXABICCvSQnoQ==
toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 20140311112400 20140209112400 65122 toke.dk. Q9OqTdh4s3aGn9ExkTnYwPk8j+V9cTjEjLGXD8zY5l0HewORrqJT5Ebn R0YvK/xH/2XLnueAZ/q8khlSfjhFzA==
;; DNSKEYset that signs the RRset to chase:
toke.dk. 43200 IN DNSKEY 256 3 5 AwEAAaYKHaUARHUtPhVTEC6vTc0SR142BVj1P/wtgCjacCkGDN5wB6Cm Y0xEwUl+NuT9btz0xQmDGOMJEKunK+HpOh0=
toke.dk. 43200 IN DNSKEY 257 3 5 AwEAAdV59e0KX1JymujkIbzikKCEVSExW3ixJ81hiboCHSvZv+LlMxlG sWT6uJrcEOENF+fZnDcl3u0WRgd3ctv9d40=
;; RRSIG of the DNSKEYset that signs the RRset to chase:
toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 20140311112400 20140209112400 22551 toke.dk. CzZARTabg0VR00Ksv0Uz+qRqRvl06fTTZHa0k17Ccg7JdrvsnZ5DgJKy dhM7j3Rb4LHfZbcoTXXABICCvSQnoQ==
toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 20140311112400 20140209112400 65122 toke.dk. Q9OqTdh4s3aGn9ExkTnYwPk8j+V9cTjEjLGXD8zY5l0HewORrqJT5Ebn R0YvK/xH/2XLnueAZ/q8khlSfjhFzA==
;; DSset of the DNSKEYset
toke.dk. 86400 IN DS 65122 5 1 A6FEBBA66365D55C97F8671688AD52883AB582A6
;; RRSIG of the DSset of the DNSKEYset
toke.dk. 86400 IN RRSIG DS 8 2 86400 20140308183226 20140208200232 61294 dk. thrq3zR+toPNxDln/H/qWBJbjkNK8/NosI6oriQBPXzzcd6HzOdg7l67 kbmje94nwOysKIMCz/YiNjmnEfa7X0NorTZ+e3HOyTRG+NpyQoywgxvj TAFDGuu8hsussW+ohheb0efhX4/0YSamSsSBeAImPYWTdUQY10U0sXDq BCE=
;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; VERIFYING CNAME RRset for files.toke.dk. with DNSKEY:22551: success
;; OK We found DNSKEY (or more) to validate the RRset
;; Now, we are going to validate this DNSKEY by the DS
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for toke.dk. with DNSKEY:65122: success
;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, thus the DNSKEY validates the RRset
;; Now, we want to validate the DS : recursive call
Launch a query to find a RRset of type DNSKEY for zone: dk.
;; NO ANSWERS: no more
;; DNSKEY is missing to continue validation: FAILED
-Toke
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 489 bytes --]
next prev parent reply other threads:[~2014-02-10 17:00 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-04 16:20 Dave Taht
2014-02-05 7:13 ` Toke Høiland-Jørgensen
2014-02-05 17:10 ` Toke Høiland-Jørgensen
2014-02-05 19:51 ` Simon Kelley
2014-02-05 20:09 ` Toke Høiland-Jørgensen
2014-02-05 22:26 ` Simon Kelley
2014-02-06 7:28 ` Toke Høiland-Jørgensen
2014-02-06 10:53 ` Simon Kelley
2014-02-06 10:57 ` Toke Høiland-Jørgensen
2014-02-06 11:27 ` Simon Kelley
2014-02-06 12:35 ` Toke Høiland-Jørgensen
2014-02-06 15:01 ` Simon Kelley
2014-02-09 12:09 ` Toke Høiland-Jørgensen
2014-02-09 12:23 ` Simon Kelley
2014-02-09 12:48 ` Toke Høiland-Jørgensen
2014-02-09 18:04 ` Dave Taht
2014-02-09 18:47 ` Toke Høiland-Jørgensen
2014-02-09 21:02 ` Simon Kelley
2014-02-09 20:59 ` Simon Kelley
2014-02-09 21:07 ` Dave Taht
2014-02-09 21:16 ` Toke Høiland-Jørgensen
2014-02-09 21:33 ` Toke Høiland-Jørgensen
2014-02-10 10:50 ` Simon Kelley
2014-02-10 11:39 ` Simon Kelley
2014-02-10 12:59 ` Toke Høiland-Jørgensen
2014-02-10 16:45 ` Simon Kelley
2014-02-10 16:59 ` Toke Høiland-Jørgensen [this message]
2014-02-10 17:12 ` Simon Kelley
2014-02-10 17:14 ` Dave Taht
2014-02-10 21:47 ` Simon Kelley
2014-02-11 11:34 ` Simon Kelley
2014-02-11 14:01 ` Toke Høiland-Jørgensen
2014-02-11 15:51 ` Simon Kelley
2014-02-11 16:25 ` Toke Høiland-Jørgensen
2014-02-06 13:42 ` Toke Høiland-Jørgensen
2014-02-06 14:40 ` Simon Kelley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878utinbsg.fsf@toke.dk \
--to=toke@toke.dk \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=simon@thekelleys.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox