From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qa0-x22c.google.com (mail-qa0-x22c.google.com [IPv6:2607:f8b0:400d:c00::22c]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 1386721F19B for ; Mon, 10 Feb 2014 09:14:50 -0800 (PST) Received: by mail-qa0-f44.google.com with SMTP id w5so10018652qac.3 for ; Mon, 10 Feb 2014 09:14:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=qJPsEq/TN5HW6onBsXDVcNTiimo8sc1/7KORaDOF+XA=; b=KrNrwaDLbE1xA/CPtj9JbZALwHTpjPDnJD2zfPAf6+f+HGm+10QQFTu9XK4hDF+b9W 4RubdOZf13STecj0qqiZoPWuSO15lv4FOiBAnTG9tTGwubRnyQw6V4iiqFkQS5sHmFkT SZC9QCmJUeMQ6zF376Rfb+a6W7ya/pKo1Za5WfGFRQwqI/PsynD9fPm/o7R8ET111a2/ pG6BAx4yn1WLRJSHJZjrdjodkcMjQW9i1dBi0GDUWaUc3ASDPxxp2OKQNssHUgQgM1or 7FGu4akDWZSWViNPOTMzGNq1WKkdVhUbGcM6lJ0Xgz39K88n5Ro7bK5EKt6cCY/ZkxQw 863w== MIME-Version: 1.0 X-Received: by 10.224.30.16 with SMTP id s16mr50239471qac.74.1392052489921; Mon, 10 Feb 2014 09:14:49 -0800 (PST) Received: by 10.224.27.133 with HTTP; Mon, 10 Feb 2014 09:14:49 -0800 (PST) In-Reply-To: <878utinbsg.fsf@toke.dk> References: <87a9e6xcae.fsf@alrua-x1.kau.toke.dk> <87ob2lmqny.fsf@toke.dk> <52F29645.6010001@thekelleys.org.uk> <874n4dwcdb.fsf@alrua-x1.kau.toke.dk> <52F2BA80.9010202@thekelleys.org.uk> <87iossvgw4.fsf@alrua-x1.kau.toke.dk> <52F369AA.5060809@thekelleys.org.uk> <8761osv78r.fsf@alrua-x1.kau.toke.dk> <52F371B3.5030406@thekelleys.org.uk> <87k3d8mna8.fsf@toke.dk> <52F3A3B2.8020201@thekelleys.org.uk> <87ppmw7ajj.fsf@toke.dk> <52F77349.40305@thekelleys.org.uk> <87lhxk78pa.fsf@toke.dk> <52F7EC3C.4060505@thekelleys.org.uk> <87bnyg55tp.fsf@toke.dk> <52F8BA64.2050401@thekelleys.org.uk> <871tzbgm36.fsf@toke.dk> <52F9023B.50504@thekelleys.org.uk> <878utinbsg.fsf@toke.dk> Date: Mon, 10 Feb 2014 09:14:49 -0800 Message-ID: From: Dave Taht To: =?ISO-8859-1?Q?Toke_H=F8iland=2DJ=F8rgensen?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC. X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Feb 2014 17:14:51 -0000 Yea! I am under the impression that still missing functionality is nsec3? Is the local-to-dnsmasq domain signable? On Mon, Feb 10, 2014 at 8:59 AM, Toke H=F8iland-J=F8rgensen = wrote: > Simon Kelley writes: > >> OK. Fix (I think), in git now. Please could you test? (A byte-order prob= lem, >> inevitably). > > Yay, seems to work: > > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: query[A] files.toke.= dk from 10.42.0.7 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke= .dk to 213.80.98.3 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke= .dk to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DNSKEY]= toke.dk to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DS] tok= e.dk to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DNSKEY]= dk to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DS] dk = to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DS keyta= g 26887 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY k= eytag 26887 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY k= eytag 7665 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY k= eytag 61294 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY k= eytag 31369 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply toke.dk is DS = keytag 65122 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply toke.dk is DNS= KEY keytag 65122 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply toke.dk is DNS= KEY keytag 22551 > Mon Feb 10 17:55:47 2014 daemon.err dnsmasq[11296]: Unexpected missing da= ta for DNSSEC validation > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: validation result is= INSECURE > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply files.toke.dk = is > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply web2.tohojo.dk= is 144.76.141.113 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: query[AAAA] files.to= ke.dk from 10.42.0.7 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: cached files.toke.dk= is > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke= .dk to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DNSKEY]= tohojo.dk to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DS] toh= ojo.dk to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply tohojo.dk is D= S keytag 49471 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply tohojo.dk is D= NSKEY keytag 49471 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply tohojo.dk is D= NSKEY keytag 30141 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: validation result is= SECURE > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply files.toke.dk = is > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply web2.tohojo.dk= is 2a01:4f8:200:3141::102 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: query[MX] files.toke= .dk from 10.42.0.7 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke= .dk to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: validation result is= SECURE > > > Dunno why it starts out insecure (?), but seems to get to the right > place. > > Can also do sigchase: > > $ dig +sigchase files.toke.dk @10.42.0.8 > ...snip... > > > Launch a query to find a RRset of type DS for zone: . > ;; NO ANSWERS: no more > > ;; WARNING There is no DS for the zone: . > > > > ;; WE HAVE MATERIAL, WE NOW DO VALIDATION > ;; VERIFYING DS RRset for dk. with DNSKEY:33655: success > ;; OK We found DNSKEY (or more) to validate the RRset > ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036 > ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success > > ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS > > > > But not +trace: > > $ dig +trace +sigchase files.toke.dk @10.42.0.8 > > ; <<>> DiG 9.9.2-P2 <<>> +trace +sigchase files.toke.dk @10.42.0.8 > ;; global options: +cmd > . 86891 IN NS d.root-servers.net. > . 86891 IN NS l.root-servers.net. > . 86891 IN NS h.root-servers.net. > . 86891 IN NS j.root-servers.net. > . 86891 IN NS b.root-servers.net. > . 86891 IN NS m.root-servers.net. > . 86891 IN NS k.root-servers.net. > . 86891 IN NS f.root-servers.net. > . 86891 IN NS e.root-servers.net. > . 86891 IN NS g.root-servers.net. > . 86891 IN NS a.root-servers.net. > . 86891 IN NS c.root-servers.net. > . 86891 IN NS i.root-servers.net. > . 325955 IN RRSIG NS 8 0 518400 20140215000= 000 20140207230000 33655 . cZOSrkiewfX+HdA2covOiYL+Z8xgBoCpJm4VZq083M51CvIF= BipG1/BO JYYiRzmpQJN/l6FI5RBKmDVFq/RqkVineoIYrsIZL9RRcAF+phPO+kHU YU3ckdHZr= oDZCu1QUPd+Kr6Y8+9GBH8wYM++0Z6tLRA+iZXbNOadfZ9o euU=3D > dk. 172800 IN NS l.nic.dk. > dk. 172800 IN NS p.nic.dk. > dk. 172800 IN NS s.nic.dk. > dk. 172800 IN NS b.nic.dk. > dk. 172800 IN NS c.nic.dk. > dk. 172800 IN NS a.nic.dk. > dk. 86400 IN DS 26887 8 2 A1AB8546B80E438= A7DFE0EC559A7088EC5AED3C4E0D26B1B60ED3735 F853DFD7 > dk. 86400 IN RRSIG DS 8 1 86400 201402170000= 00 20140209230000 33655 . aK1OgJzktVeo2i83KdOig62wyqkxcQmbbQePi4T7zI4OhPzI5= LMz9kbS W/V7bOgNBfYBjDJg4JEYIAC0esCrGPtbAsKQ7YrKiZikNAhlD/BgTvtD JQJxc+7f4x= Ua6Y7/9DBKmG8Du+DftF99RngT/hCgr9hZme9YkvtGaEyo CZI=3D > toke.dk. 86400 IN NS ns2.gratisdns.dk. > toke.dk. 86400 IN NS ns1.gratisdns.dk. > toke.dk. 86400 IN NS ns4.gratisdns.dk. > toke.dk. 86400 IN NS ns5.gratisdns.dk. > toke.dk. 86400 IN NS ns3.gratisdns.dk. > toke.dk. 86400 IN DS 65122 5 1 A6FEBBA66365D55= C97F8671688AD52883AB582A6 > toke.dk. 86400 IN RRSIG DS 8 2 86400 201403081832= 26 20140208200232 61294 dk. thrq3zR+toPNxDln/H/qWBJbjkNK8/NosI6oriQBPXzzcd6= HzOdg7l67 kbmje94nwOysKIMCz/YiNjmnEfa7X0NorTZ+e3HOyTRG+NpyQoywgxvj TAFDGuu8= hsussW+ohheb0efhX4/0YSamSsSBeAImPYWTdUQY10U0sXDq BCE=3D > files.toke.dk. 43200 IN CNAME web2.tohojo.dk. > files.toke.dk. 43200 IN RRSIG CNAME 5 3 43200 201403111= 12400 20140209112400 22551 toke.dk. ObiMhHqVUSxsje4979EzuiDoCt7z1r1Gl946gmY= 9ZDe7Es+7jg1l7m8/ vyVhPDRxqNxEAsTmFXF6mkwKkK60ag=3D=3D > ;; RRset to chase: > files.toke.dk. 43200 IN CNAME web2.tohojo.dk. > > > ;; RRSIG of the RRset to chase: > files.toke.dk. 43200 IN RRSIG CNAME 5 3 43200 201403111= 12400 20140209112400 22551 toke.dk. ObiMhHqVUSxsje4979EzuiDoCt7z1r1Gl946gmY= 9ZDe7Es+7jg1l7m8/ vyVhPDRxqNxEAsTmFXF6mkwKkK60ag=3D=3D > > > > Launch a query to find a RRset of type DNSKEY for zone: toke.dk. > toke.dk. 43200 IN DNSKEY 256 3 5 AwEAAaYKHaUARHUtP= hVTEC6vTc0SR142BVj1P/wtgCjacCkGDN5wB6Cm Y0xEwUl+NuT9btz0xQmDGOMJEKunK+HpOh0= =3D > toke.dk. 43200 IN DNSKEY 257 3 5 AwEAAdV59e0KX1Jym= ujkIbzikKCEVSExW3ixJ81hiboCHSvZv+LlMxlG sWT6uJrcEOENF+fZnDcl3u0WRgd3ctv9d40= =3D > toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 20140311= 112400 20140209112400 22551 toke.dk. CzZARTabg0VR00Ksv0Uz+qRqRvl06fTTZHa0k1= 7Ccg7JdrvsnZ5DgJKy dhM7j3Rb4LHfZbcoTXXABICCvSQnoQ=3D=3D > toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 20140311= 112400 20140209112400 65122 toke.dk. Q9OqTdh4s3aGn9ExkTnYwPk8j+V9cTjEjLGXD8= zY5l0HewORrqJT5Ebn R0YvK/xH/2XLnueAZ/q8khlSfjhFzA=3D=3D > > ;; DNSKEYset that signs the RRset to chase: > toke.dk. 43200 IN DNSKEY 256 3 5 AwEAAaYKHaUARHUtP= hVTEC6vTc0SR142BVj1P/wtgCjacCkGDN5wB6Cm Y0xEwUl+NuT9btz0xQmDGOMJEKunK+HpOh0= =3D > toke.dk. 43200 IN DNSKEY 257 3 5 AwEAAdV59e0KX1Jym= ujkIbzikKCEVSExW3ixJ81hiboCHSvZv+LlMxlG sWT6uJrcEOENF+fZnDcl3u0WRgd3ctv9d40= =3D > > > ;; RRSIG of the DNSKEYset that signs the RRset to chase: > toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 20140311= 112400 20140209112400 22551 toke.dk. CzZARTabg0VR00Ksv0Uz+qRqRvl06fTTZHa0k1= 7Ccg7JdrvsnZ5DgJKy dhM7j3Rb4LHfZbcoTXXABICCvSQnoQ=3D=3D > toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 20140311= 112400 20140209112400 65122 toke.dk. Q9OqTdh4s3aGn9ExkTnYwPk8j+V9cTjEjLGXD8= zY5l0HewORrqJT5Ebn R0YvK/xH/2XLnueAZ/q8khlSfjhFzA=3D=3D > > > ;; DSset of the DNSKEYset > toke.dk. 86400 IN DS 65122 5 1 A6FEBBA66365D55= C97F8671688AD52883AB582A6 > > > ;; RRSIG of the DSset of the DNSKEYset > toke.dk. 86400 IN RRSIG DS 8 2 86400 201403081832= 26 20140208200232 61294 dk. thrq3zR+toPNxDln/H/qWBJbjkNK8/NosI6oriQBPXzzcd6= HzOdg7l67 kbmje94nwOysKIMCz/YiNjmnEfa7X0NorTZ+e3HOyTRG+NpyQoywgxvj TAFDGuu8= hsussW+ohheb0efhX4/0YSamSsSBeAImPYWTdUQY10U0sXDq BCE=3D > > > > > ;; WE HAVE MATERIAL, WE NOW DO VALIDATION > ;; VERIFYING CNAME RRset for files.toke.dk. with DNSKEY:22551: success > ;; OK We found DNSKEY (or more) to validate the RRset > ;; Now, we are going to validate this DNSKEY by the DS > ;; OK a DS valids a DNSKEY in the RRset > ;; Now verify that this DNSKEY validates the DNSKEY RRset > ;; VERIFYING DNSKEY RRset for toke.dk. with DNSKEY:65122: success > ;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEY= s, thus the DNSKEY validates the RRset > ;; Now, we want to validate the DS : recursive call > > > Launch a query to find a RRset of type DNSKEY for zone: dk. > ;; NO ANSWERS: no more > > ;; DNSKEY is missing to continue validation: FAILED > > > -Toke > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > --=20 Dave T=E4ht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.= html