[Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.
Simon Kelley
simon at thekelleys.org.uk
Thu Feb 6 09:40:46 EST 2014
On 06/02/14 13:42, Toke Høiland-Jørgensen wrote:
> Simon Kelley<simon at thekelleys.org.uk> writes:
>
>> Otherwise, just the usual stuff, crashes, infinite loops, wrong
>> answers. "internal error" log entries.
>
> Right, another data point: got an invalid signature:
>
> dnsmasq[21893]: query[A] www.tcpdump.org from 127.0.0.1
> dnsmasq[21893]: forwarded www.tcpdump.org to 127.0.0.1
> dnsmasq[21893]: validation result is BOGUS dnsmasq[21893]: reply
> www.tcpdump.org is 69.4.231.52 dnsmasq[21893]: reply www.tcpdump.org
> is 132.213.238.6
>
> Seems to be correct, though:
>
> $ dig +trace +dnssec +sigchase www.tcpdump.org ...snip...
>
> ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING A RRset for
> www.tcpdump.org. with DNSKEY:20163: RRSIG has expired ;; No DNSKEY is
> valid to check the RRSIG of the RRset: FAILED
>
> Turning on dnssec-debug also "helps":
>
> $ host www.tcpdump.org www.tcpdump.org has address 69.4.231.52
> www.tcpdump.org has address 132.213.238.6 www.tcpdump.org has RRSIG
> record A 5 3 60 20131226232352 20131126222352 20163 tcpdump.org.
^^^^^^^^^^^^^^
> iyzWHZ5I6wkK6uZrmNg22SZnP2JKHN1LSE9Vo+PE3J1tbA9cPcVlas3v
> O8PtAGjzjP/TnGRaBSbni+Bwr6GJMRT1+S1Fw1aBCeTyioRmDPP0WS48
> K6WULn5Mf35KNqzpHb+1YcvP2MeSp5oMVv3uFUjONlt7RqPHVTgfnR1L zy8=
> www.tcpdump.org has IPv6 address 2607:f0d0:3001:62:1::52
> www.tcpdump.org has IPv6 address 2001:4830:116e:2::6 www.tcpdump.org
> has RRSIG record AAAA 5 3 60 20131226232352 20131126222352 20163
^^^^^^^^^^^^^^
> tcpdump.org. L71XIeQLyVmZf4eXbBvefojm8qYhc/xAXR3S28pKBdeUgXl1DfePO8Il
> lUZhAXowKAw8H1529AglgW8HGAiJGwzoVefYz+GnZCg2N6AWoYM4gxve
> XwPtCDx51FAKkINkMX1XGqUIIX6Bq26RPcth0JSVCA+Fy+29ZxeitN36 sBk=
>
In case it's not obvious, yes, the sig(s) have expired.
Cheers,
Simon.
>
> -Toke
More information about the Cerowrt-devel
mailing list