From: Dave Taht <dave.taht@gmail.com>
To: "Toke Høiland-Jørgensen" <toke@toke.dk>
Cc: "cerowrt-devel@lists.bufferbloat.net"
<cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.
Date: Mon, 10 Feb 2014 09:14:49 -0800 [thread overview]
Message-ID: <CAA93jw7cmbQ-LAHN0a71S4mczgmJR9OVfV+VQBkYxQstYKKmag@mail.gmail.com> (raw)
In-Reply-To: <878utinbsg.fsf@toke.dk>
Yea! I am under the impression that still missing functionality is nsec3?
Is the local-to-dnsmasq domain signable?
On Mon, Feb 10, 2014 at 8:59 AM, Toke Høiland-Jørgensen <toke@toke.dk> wrote:
> Simon Kelley <simon@thekelleys.org.uk> writes:
>
>> OK. Fix (I think), in git now. Please could you test? (A byte-order problem,
>> inevitably).
>
> Yay, seems to work:
>
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: query[A] files.toke.dk from 10.42.0.7
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk to 213.80.98.3
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk to 213.80.98.2
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DNSKEY] toke.dk to 213.80.98.2
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DS] toke.dk to 213.80.98.2
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DNSKEY] dk to 213.80.98.2
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DS] dk to 213.80.98.2
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DS keytag 26887
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY keytag 26887
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY keytag 7665
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY keytag 61294
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY keytag 31369
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply toke.dk is DS keytag 65122
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply toke.dk is DNSKEY keytag 65122
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply toke.dk is DNSKEY keytag 22551
> Mon Feb 10 17:55:47 2014 daemon.err dnsmasq[11296]: Unexpected missing data for DNSSEC validation
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: validation result is INSECURE
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply files.toke.dk is <CNAME>
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply web2.tohojo.dk is 144.76.141.113
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: query[AAAA] files.toke.dk from 10.42.0.7
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: cached files.toke.dk is <CNAME>
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk to 213.80.98.2
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DNSKEY] tohojo.dk to 213.80.98.2
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DS] tohojo.dk to 213.80.98.2
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply tohojo.dk is DS keytag 49471
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply tohojo.dk is DNSKEY keytag 49471
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply tohojo.dk is DNSKEY keytag 30141
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: validation result is SECURE
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply files.toke.dk is <CNAME>
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply web2.tohojo.dk is 2a01:4f8:200:3141::102
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: query[MX] files.toke.dk from 10.42.0.7
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk to 213.80.98.2
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: validation result is SECURE
>
>
> Dunno why it starts out insecure (?), but seems to get to the right
> place.
>
> Can also do sigchase:
>
> $ dig +sigchase files.toke.dk @10.42.0.8
> ...snip...
>
>
> Launch a query to find a RRset of type DS for zone: .
> ;; NO ANSWERS: no more
>
> ;; WARNING There is no DS for the zone: .
>
>
>
> ;; WE HAVE MATERIAL, WE NOW DO VALIDATION
> ;; VERIFYING DS RRset for dk. with DNSKEY:33655: success
> ;; OK We found DNSKEY (or more) to validate the RRset
> ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036
> ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success
>
> ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS
>
>
>
> But not +trace:
>
> $ dig +trace +sigchase files.toke.dk @10.42.0.8
>
> ; <<>> DiG 9.9.2-P2 <<>> +trace +sigchase files.toke.dk @10.42.0.8
> ;; global options: +cmd
> . 86891 IN NS d.root-servers.net.
> . 86891 IN NS l.root-servers.net.
> . 86891 IN NS h.root-servers.net.
> . 86891 IN NS j.root-servers.net.
> . 86891 IN NS b.root-servers.net.
> . 86891 IN NS m.root-servers.net.
> . 86891 IN NS k.root-servers.net.
> . 86891 IN NS f.root-servers.net.
> . 86891 IN NS e.root-servers.net.
> . 86891 IN NS g.root-servers.net.
> . 86891 IN NS a.root-servers.net.
> . 86891 IN NS c.root-servers.net.
> . 86891 IN NS i.root-servers.net.
> . 325955 IN RRSIG NS 8 0 518400 20140215000000 20140207230000 33655 . cZOSrkiewfX+HdA2covOiYL+Z8xgBoCpJm4VZq083M51CvIFBipG1/BO JYYiRzmpQJN/l6FI5RBKmDVFq/RqkVineoIYrsIZL9RRcAF+phPO+kHU YU3ckdHZroDZCu1QUPd+Kr6Y8+9GBH8wYM++0Z6tLRA+iZXbNOadfZ9o euU=
> dk. 172800 IN NS l.nic.dk.
> dk. 172800 IN NS p.nic.dk.
> dk. 172800 IN NS s.nic.dk.
> dk. 172800 IN NS b.nic.dk.
> dk. 172800 IN NS c.nic.dk.
> dk. 172800 IN NS a.nic.dk.
> dk. 86400 IN DS 26887 8 2 A1AB8546B80E438A7DFE0EC559A7088EC5AED3C4E0D26B1B60ED3735 F853DFD7
> dk. 86400 IN RRSIG DS 8 1 86400 20140217000000 20140209230000 33655 . aK1OgJzktVeo2i83KdOig62wyqkxcQmbbQePi4T7zI4OhPzI5LMz9kbS W/V7bOgNBfYBjDJg4JEYIAC0esCrGPtbAsKQ7YrKiZikNAhlD/BgTvtD JQJxc+7f4xUa6Y7/9DBKmG8Du+DftF99RngT/hCgr9hZme9YkvtGaEyo CZI=
> toke.dk. 86400 IN NS ns2.gratisdns.dk.
> toke.dk. 86400 IN NS ns1.gratisdns.dk.
> toke.dk. 86400 IN NS ns4.gratisdns.dk.
> toke.dk. 86400 IN NS ns5.gratisdns.dk.
> toke.dk. 86400 IN NS ns3.gratisdns.dk.
> toke.dk. 86400 IN DS 65122 5 1 A6FEBBA66365D55C97F8671688AD52883AB582A6
> toke.dk. 86400 IN RRSIG DS 8 2 86400 20140308183226 20140208200232 61294 dk. thrq3zR+toPNxDln/H/qWBJbjkNK8/NosI6oriQBPXzzcd6HzOdg7l67 kbmje94nwOysKIMCz/YiNjmnEfa7X0NorTZ+e3HOyTRG+NpyQoywgxvj TAFDGuu8hsussW+ohheb0efhX4/0YSamSsSBeAImPYWTdUQY10U0sXDq BCE=
> files.toke.dk. 43200 IN CNAME web2.tohojo.dk.
> files.toke.dk. 43200 IN RRSIG CNAME 5 3 43200 20140311112400 20140209112400 22551 toke.dk. ObiMhHqVUSxsje4979EzuiDoCt7z1r1Gl946gmY9ZDe7Es+7jg1l7m8/ vyVhPDRxqNxEAsTmFXF6mkwKkK60ag==
> ;; RRset to chase:
> files.toke.dk. 43200 IN CNAME web2.tohojo.dk.
>
>
> ;; RRSIG of the RRset to chase:
> files.toke.dk. 43200 IN RRSIG CNAME 5 3 43200 20140311112400 20140209112400 22551 toke.dk. ObiMhHqVUSxsje4979EzuiDoCt7z1r1Gl946gmY9ZDe7Es+7jg1l7m8/ vyVhPDRxqNxEAsTmFXF6mkwKkK60ag==
>
>
>
> Launch a query to find a RRset of type DNSKEY for zone: toke.dk.
> toke.dk. 43200 IN DNSKEY 256 3 5 AwEAAaYKHaUARHUtPhVTEC6vTc0SR142BVj1P/wtgCjacCkGDN5wB6Cm Y0xEwUl+NuT9btz0xQmDGOMJEKunK+HpOh0=
> toke.dk. 43200 IN DNSKEY 257 3 5 AwEAAdV59e0KX1JymujkIbzikKCEVSExW3ixJ81hiboCHSvZv+LlMxlG sWT6uJrcEOENF+fZnDcl3u0WRgd3ctv9d40=
> toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 20140311112400 20140209112400 22551 toke.dk. CzZARTabg0VR00Ksv0Uz+qRqRvl06fTTZHa0k17Ccg7JdrvsnZ5DgJKy dhM7j3Rb4LHfZbcoTXXABICCvSQnoQ==
> toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 20140311112400 20140209112400 65122 toke.dk. Q9OqTdh4s3aGn9ExkTnYwPk8j+V9cTjEjLGXD8zY5l0HewORrqJT5Ebn R0YvK/xH/2XLnueAZ/q8khlSfjhFzA==
>
> ;; DNSKEYset that signs the RRset to chase:
> toke.dk. 43200 IN DNSKEY 256 3 5 AwEAAaYKHaUARHUtPhVTEC6vTc0SR142BVj1P/wtgCjacCkGDN5wB6Cm Y0xEwUl+NuT9btz0xQmDGOMJEKunK+HpOh0=
> toke.dk. 43200 IN DNSKEY 257 3 5 AwEAAdV59e0KX1JymujkIbzikKCEVSExW3ixJ81hiboCHSvZv+LlMxlG sWT6uJrcEOENF+fZnDcl3u0WRgd3ctv9d40=
>
>
> ;; RRSIG of the DNSKEYset that signs the RRset to chase:
> toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 20140311112400 20140209112400 22551 toke.dk. CzZARTabg0VR00Ksv0Uz+qRqRvl06fTTZHa0k17Ccg7JdrvsnZ5DgJKy dhM7j3Rb4LHfZbcoTXXABICCvSQnoQ==
> toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 20140311112400 20140209112400 65122 toke.dk. Q9OqTdh4s3aGn9ExkTnYwPk8j+V9cTjEjLGXD8zY5l0HewORrqJT5Ebn R0YvK/xH/2XLnueAZ/q8khlSfjhFzA==
>
>
> ;; DSset of the DNSKEYset
> toke.dk. 86400 IN DS 65122 5 1 A6FEBBA66365D55C97F8671688AD52883AB582A6
>
>
> ;; RRSIG of the DSset of the DNSKEYset
> toke.dk. 86400 IN RRSIG DS 8 2 86400 20140308183226 20140208200232 61294 dk. thrq3zR+toPNxDln/H/qWBJbjkNK8/NosI6oriQBPXzzcd6HzOdg7l67 kbmje94nwOysKIMCz/YiNjmnEfa7X0NorTZ+e3HOyTRG+NpyQoywgxvj TAFDGuu8hsussW+ohheb0efhX4/0YSamSsSBeAImPYWTdUQY10U0sXDq BCE=
>
>
>
>
> ;; WE HAVE MATERIAL, WE NOW DO VALIDATION
> ;; VERIFYING CNAME RRset for files.toke.dk. with DNSKEY:22551: success
> ;; OK We found DNSKEY (or more) to validate the RRset
> ;; Now, we are going to validate this DNSKEY by the DS
> ;; OK a DS valids a DNSKEY in the RRset
> ;; Now verify that this DNSKEY validates the DNSKEY RRset
> ;; VERIFYING DNSKEY RRset for toke.dk. with DNSKEY:65122: success
> ;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, thus the DNSKEY validates the RRset
> ;; Now, we want to validate the DS : recursive call
>
>
> Launch a query to find a RRset of type DNSKEY for zone: dk.
> ;; NO ANSWERS: no more
>
> ;; DNSKEY is missing to continue validation: FAILED
>
>
> -Toke
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>
--
Dave Täht
Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
next prev parent reply other threads:[~2014-02-10 17:14 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-04 16:20 Dave Taht
2014-02-05 7:13 ` Toke Høiland-Jørgensen
2014-02-05 17:10 ` Toke Høiland-Jørgensen
2014-02-05 19:51 ` Simon Kelley
2014-02-05 20:09 ` Toke Høiland-Jørgensen
2014-02-05 22:26 ` Simon Kelley
2014-02-06 7:28 ` Toke Høiland-Jørgensen
2014-02-06 10:53 ` Simon Kelley
2014-02-06 10:57 ` Toke Høiland-Jørgensen
2014-02-06 11:27 ` Simon Kelley
2014-02-06 12:35 ` Toke Høiland-Jørgensen
2014-02-06 15:01 ` Simon Kelley
2014-02-09 12:09 ` Toke Høiland-Jørgensen
2014-02-09 12:23 ` Simon Kelley
2014-02-09 12:48 ` Toke Høiland-Jørgensen
2014-02-09 18:04 ` Dave Taht
2014-02-09 18:47 ` Toke Høiland-Jørgensen
2014-02-09 21:02 ` Simon Kelley
2014-02-09 20:59 ` Simon Kelley
2014-02-09 21:07 ` Dave Taht
2014-02-09 21:16 ` Toke Høiland-Jørgensen
2014-02-09 21:33 ` Toke Høiland-Jørgensen
2014-02-10 10:50 ` Simon Kelley
2014-02-10 11:39 ` Simon Kelley
2014-02-10 12:59 ` Toke Høiland-Jørgensen
2014-02-10 16:45 ` Simon Kelley
2014-02-10 16:59 ` Toke Høiland-Jørgensen
2014-02-10 17:12 ` Simon Kelley
2014-02-10 17:14 ` Dave Taht [this message]
2014-02-10 21:47 ` Simon Kelley
2014-02-11 11:34 ` Simon Kelley
2014-02-11 14:01 ` Toke Høiland-Jørgensen
2014-02-11 15:51 ` Simon Kelley
2014-02-11 16:25 ` Toke Høiland-Jørgensen
2014-02-06 13:42 ` Toke Høiland-Jørgensen
2014-02-06 14:40 ` Simon Kelley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAA93jw7cmbQ-LAHN0a71S4mczgmJR9OVfV+VQBkYxQstYKKmag@mail.gmail.com \
--to=dave.taht@gmail.com \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=toke@toke.dk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox