From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <toke@toke.dk>
Received: from mail2.tohojo.dk (mail2.tohojo.dk [IPv6:2a01:4f8:200:3141::101])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by huchra.bufferbloat.net (Postfix) with ESMTPS id B7B3821F1C4
	for <cerowrt-devel@lists.bufferbloat.net>;
	Sun,  9 Feb 2014 04:09:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at example.com
Received: by alrua-x1.borgediget.toke.dk (Postfix, from userid 1000)
	id 6862F16A1D; Sun,  9 Feb 2014 13:09:06 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toke.dk; s=201310;
	t=1391947746; bh=r186l9NGH/2qn303mJTzZtCMPjJUl5r42+8a9YVnCyw=;
	h=From:To:Cc:Subject:References:Date:In-Reply-To;
	b=dCLnqg0retJGG4nN9WzQv5mrCSFqbYKlXdbobJd8WKcz6cSIwEvLky0yXiYk3tpIB
	JzxxzxHo5otz/DbDfdCUvGO3GBCUrFWXzP6Mqv56lKg/8oq1C3qMkIKUmpemblJ3Qx
	hg/fUHb3/F07b1e7HSXkAWjhgqacDGrqSTt2KLzw=
From: =?utf-8?Q?Toke_H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>
To: Simon Kelley <simon@thekelleys.org.uk>
References: <CAA93jw4nAzXdgRq34SXssOBS_F0Jh8qfLVRMj9_0h3jv3OUrUA@mail.gmail.com>
	<87a9e6xcae.fsf@alrua-x1.kau.toke.dk> <87ob2lmqny.fsf@toke.dk>
	<52F29645.6010001@thekelleys.org.uk>
	<874n4dwcdb.fsf@alrua-x1.kau.toke.dk>
	<52F2BA80.9010202@thekelleys.org.uk>
	<87iossvgw4.fsf@alrua-x1.kau.toke.dk>
	<52F369AA.5060809@thekelleys.org.uk>
	<8761osv78r.fsf@alrua-x1.kau.toke.dk>
	<52F371B3.5030406@thekelleys.org.uk> <87k3d8mna8.fsf@toke.dk>
	<52F3A3B2.8020201@thekelleys.org.uk>
Date: Sun, 09 Feb 2014 13:09:04 +0100
In-Reply-To: <52F3A3B2.8020201@thekelleys.org.uk> (Simon Kelley's message of
	"Thu, 06 Feb 2014 15:01:06 +0000")
Message-ID: <87ppmw7ajj.fsf@toke.dk>
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha256; protocol="application/pgp-signature"
Cc: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Sun, 09 Feb 2014 12:09:19 -0000

--=-=-=
Content-Type: text/plain


OK, so I've tried building dnsmasq on cerowrt, from git head. It seems
to have some trouble validating stuff:

Sun Feb  9 13:04:24 2014 daemon.info dnsmasq[6456]: forwarded mail2.tohojo.dk to 213.80.98.2
Sun Feb  9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DNSKEY] tohojo.dk to 213.80.98.2
Sun Feb  9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DS] tohojo.dk to 213.80.98.2
Sun Feb  9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DNSKEY] dk to 213.80.98.2
Sun Feb  9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DS] dk to 213.80.98.2
Sun Feb  9 13:04:24 2014 daemon.info dnsmasq[6456]: reply dk is BOGUS DS
Sun Feb  9 13:04:24 2014 daemon.info dnsmasq[6456]: validation result is BOGUS

This is with dnssec-debug turned on.

I'm not entirely sure how to go about debugging this, but FWIW this
works:

$ dig +dnssec +sigchase mail2.tohojo.dk @213.80.98.2
...snip...
;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; VERIFYING DS RRset for dk. with DNSKEY:33655: success
;; OK We found DNSKEY (or more) to validate the RRset
;; Ok, find a Trusted Key in the DNSKEY RRset: 19036
;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success

;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS


Whereas going through the dnsmasq server fails:
$ dig +dnssec +sigchase mail2.tohojo.dk @10.42.8.1
...snip...
;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; VERIFYING DS RRset for tohojo.dk. with DNSKEY:61294: success
;; OK We found DNSKEY (or more) to validate the RRset
;; Now, we are going to validate this DNSKEY by the DS
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for dk. with DNSKEY:26887: success
;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, thus the DNSKEY validates the RRset
;; Now, we want to validate the DS :  recursive call


Launch a query to find a RRset of type DNSKEY for zone: .

;; DNSKEYset that signs the RRset to chase:
.			0	IN	DNSKEY	256 3 8 AwEAAYRU41/8smgAvuSojEP4jaj5Yll7WPaUKpYvnz2pnX2VIvRn4jsy Jns80bloenG6X9ebJVy2CFtZQLKHP8DcKmIFotdgs2HolyocY1am/+33 4RtzusM2ojkhjn1FRGtuSE9s2TSz1ISv0yVnFyu+EP/ZkiWnDfWeVrJI SEWBEr4V
.			0	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
.			0	IN	DNSKEY	256 3 8 AwEAAb8sU6pbYMWRbkRnEuEZw9NSir707TkOcF+UL1XiK4NDJOvXRyX1 95Am5dQ7bRnnuySZ3daf37vvjUUhuIWUAQ4stht8nJfYxVQXDYjSpGH5 I6Hf/0CZEoNP6cNvrQ7AFmKkmv00xWExKQjbvnRPI4bqpMwtHVzn6Wyb BZ6kuqED



Launch a query to find a RRset of type RRSIG for zone: .

;; RRSIG for DNSKEY  is missing  to continue validation : FAILED



Not really sure what to make of this?

-Toke

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBCAAGBQJS92/gAAoJEENeEGz1+utPKpcH/0Scue1Tw+5cME89lr4yQKxL
IfaZXH1Wm0o0YQakCH8NTHTA46ughAMq0qPEiCw5mRpfbpcSs2nNrO04UQl6OtWA
rTmxzMWQYhkI9ofHlyCfHUkg+GzoEUkRk0yOFHQtJimziLZ5F62arHKCUmtCp4Zt
rbOGwv95zRCHek/picNhwy67CpMbK6hMorDk40gKi8pYaA2jp+Tj0dy6C/Lra47q
KJlsxeF+KjZA1yk/EZpj/xKhxsY0GWwVUqiJtR7WkvfmirIMF38Pp/tGzvjy1VYz
B4jGeSm0Gaq3vjZyg94URgHAuRD/vWSa54t+DeeK8HOb1+39QnMCdPt4N16eJZ4=
=wUNf
-----END PGP SIGNATURE-----
--=-=-=--