[Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.

Dave Taht dave.taht at gmail.com
Mon Feb 10 12:14:49 EST 2014


Yea! I am under the impression that still missing functionality is nsec3?

Is the local-to-dnsmasq domain signable?

On Mon, Feb 10, 2014 at 8:59 AM, Toke Høiland-Jørgensen <toke at toke.dk> wrote:
> Simon Kelley <simon at thekelleys.org.uk> writes:
>
>> OK. Fix (I think), in git now. Please could you test? (A byte-order problem,
>> inevitably).
>
> Yay, seems to work:
>
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: query[A] files.toke.dk from 10.42.0.7
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk to 213.80.98.3
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk to 213.80.98.2
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DNSKEY] toke.dk to 213.80.98.2
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DS] toke.dk to 213.80.98.2
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DNSKEY] dk to 213.80.98.2
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DS] dk to 213.80.98.2
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DS keytag 26887
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY keytag 26887
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY keytag 7665
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY keytag 61294
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY keytag 31369
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply toke.dk is DS keytag 65122
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply toke.dk is DNSKEY keytag 65122
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply toke.dk is DNSKEY keytag 22551
> Mon Feb 10 17:55:47 2014 daemon.err dnsmasq[11296]: Unexpected missing data for DNSSEC validation
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: validation result is INSECURE
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply files.toke.dk is <CNAME>
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply web2.tohojo.dk is 144.76.141.113
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: query[AAAA] files.toke.dk from 10.42.0.7
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: cached files.toke.dk is <CNAME>
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk to 213.80.98.2
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DNSKEY] tohojo.dk to 213.80.98.2
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DS] tohojo.dk to 213.80.98.2
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply tohojo.dk is DS keytag 49471
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply tohojo.dk is DNSKEY keytag 49471
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply tohojo.dk is DNSKEY keytag 30141
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: validation result is SECURE
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply files.toke.dk is <CNAME>
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply web2.tohojo.dk is 2a01:4f8:200:3141::102
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: query[MX] files.toke.dk from 10.42.0.7
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk to 213.80.98.2
> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: validation result is SECURE
>
>
> Dunno why it starts out insecure (?), but seems to get to the right
> place.
>
> Can also do sigchase:
>
> $ dig +sigchase files.toke.dk @10.42.0.8
> ...snip...
>
>
> Launch a query to find a RRset of type DS for zone: .
> ;; NO ANSWERS: no more
>
> ;; WARNING There is no DS for the zone: .
>
>
>
> ;; WE HAVE MATERIAL, WE NOW DO VALIDATION
> ;; VERIFYING DS RRset for dk. with DNSKEY:33655: success
> ;; OK We found DNSKEY (or more) to validate the RRset
> ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036
> ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success
>
> ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS
>
>
>
> But not +trace:
>
> $ dig +trace +sigchase files.toke.dk @10.42.0.8
>
> ; <<>> DiG 9.9.2-P2 <<>> +trace +sigchase files.toke.dk @10.42.0.8
> ;; global options: +cmd
> .                       86891   IN      NS      d.root-servers.net.
> .                       86891   IN      NS      l.root-servers.net.
> .                       86891   IN      NS      h.root-servers.net.
> .                       86891   IN      NS      j.root-servers.net.
> .                       86891   IN      NS      b.root-servers.net.
> .                       86891   IN      NS      m.root-servers.net.
> .                       86891   IN      NS      k.root-servers.net.
> .                       86891   IN      NS      f.root-servers.net.
> .                       86891   IN      NS      e.root-servers.net.
> .                       86891   IN      NS      g.root-servers.net.
> .                       86891   IN      NS      a.root-servers.net.
> .                       86891   IN      NS      c.root-servers.net.
> .                       86891   IN      NS      i.root-servers.net.
> .                       325955  IN      RRSIG   NS 8 0 518400 20140215000000 20140207230000 33655 . cZOSrkiewfX+HdA2covOiYL+Z8xgBoCpJm4VZq083M51CvIFBipG1/BO JYYiRzmpQJN/l6FI5RBKmDVFq/RqkVineoIYrsIZL9RRcAF+phPO+kHU YU3ckdHZroDZCu1QUPd+Kr6Y8+9GBH8wYM++0Z6tLRA+iZXbNOadfZ9o euU=
> dk.                     172800  IN      NS      l.nic.dk.
> dk.                     172800  IN      NS      p.nic.dk.
> dk.                     172800  IN      NS      s.nic.dk.
> dk.                     172800  IN      NS      b.nic.dk.
> dk.                     172800  IN      NS      c.nic.dk.
> dk.                     172800  IN      NS      a.nic.dk.
> dk.                     86400   IN      DS      26887 8 2 A1AB8546B80E438A7DFE0EC559A7088EC5AED3C4E0D26B1B60ED3735 F853DFD7
> dk.                     86400   IN      RRSIG   DS 8 1 86400 20140217000000 20140209230000 33655 . aK1OgJzktVeo2i83KdOig62wyqkxcQmbbQePi4T7zI4OhPzI5LMz9kbS W/V7bOgNBfYBjDJg4JEYIAC0esCrGPtbAsKQ7YrKiZikNAhlD/BgTvtD JQJxc+7f4xUa6Y7/9DBKmG8Du+DftF99RngT/hCgr9hZme9YkvtGaEyo CZI=
> toke.dk.                86400   IN      NS      ns2.gratisdns.dk.
> toke.dk.                86400   IN      NS      ns1.gratisdns.dk.
> toke.dk.                86400   IN      NS      ns4.gratisdns.dk.
> toke.dk.                86400   IN      NS      ns5.gratisdns.dk.
> toke.dk.                86400   IN      NS      ns3.gratisdns.dk.
> toke.dk.                86400   IN      DS      65122 5 1 A6FEBBA66365D55C97F8671688AD52883AB582A6
> toke.dk.                86400   IN      RRSIG   DS 8 2 86400 20140308183226 20140208200232 61294 dk. thrq3zR+toPNxDln/H/qWBJbjkNK8/NosI6oriQBPXzzcd6HzOdg7l67 kbmje94nwOysKIMCz/YiNjmnEfa7X0NorTZ+e3HOyTRG+NpyQoywgxvj TAFDGuu8hsussW+ohheb0efhX4/0YSamSsSBeAImPYWTdUQY10U0sXDq BCE=
> files.toke.dk.          43200   IN      CNAME   web2.tohojo.dk.
> files.toke.dk.          43200   IN      RRSIG   CNAME 5 3 43200 20140311112400 20140209112400 22551 toke.dk. ObiMhHqVUSxsje4979EzuiDoCt7z1r1Gl946gmY9ZDe7Es+7jg1l7m8/ vyVhPDRxqNxEAsTmFXF6mkwKkK60ag==
> ;; RRset to chase:
> files.toke.dk.          43200   IN      CNAME   web2.tohojo.dk.
>
>
> ;; RRSIG of the RRset to chase:
> files.toke.dk.          43200   IN      RRSIG   CNAME 5 3 43200 20140311112400 20140209112400 22551 toke.dk. ObiMhHqVUSxsje4979EzuiDoCt7z1r1Gl946gmY9ZDe7Es+7jg1l7m8/ vyVhPDRxqNxEAsTmFXF6mkwKkK60ag==
>
>
>
> Launch a query to find a RRset of type DNSKEY for zone: toke.dk.
> toke.dk.                43200   IN      DNSKEY  256 3 5 AwEAAaYKHaUARHUtPhVTEC6vTc0SR142BVj1P/wtgCjacCkGDN5wB6Cm Y0xEwUl+NuT9btz0xQmDGOMJEKunK+HpOh0=
> toke.dk.                43200   IN      DNSKEY  257 3 5 AwEAAdV59e0KX1JymujkIbzikKCEVSExW3ixJ81hiboCHSvZv+LlMxlG sWT6uJrcEOENF+fZnDcl3u0WRgd3ctv9d40=
> toke.dk.                43200   IN      RRSIG   DNSKEY 5 2 43200 20140311112400 20140209112400 22551 toke.dk. CzZARTabg0VR00Ksv0Uz+qRqRvl06fTTZHa0k17Ccg7JdrvsnZ5DgJKy dhM7j3Rb4LHfZbcoTXXABICCvSQnoQ==
> toke.dk.                43200   IN      RRSIG   DNSKEY 5 2 43200 20140311112400 20140209112400 65122 toke.dk. Q9OqTdh4s3aGn9ExkTnYwPk8j+V9cTjEjLGXD8zY5l0HewORrqJT5Ebn R0YvK/xH/2XLnueAZ/q8khlSfjhFzA==
>
> ;; DNSKEYset that signs the RRset to chase:
> toke.dk.                43200   IN      DNSKEY  256 3 5 AwEAAaYKHaUARHUtPhVTEC6vTc0SR142BVj1P/wtgCjacCkGDN5wB6Cm Y0xEwUl+NuT9btz0xQmDGOMJEKunK+HpOh0=
> toke.dk.                43200   IN      DNSKEY  257 3 5 AwEAAdV59e0KX1JymujkIbzikKCEVSExW3ixJ81hiboCHSvZv+LlMxlG sWT6uJrcEOENF+fZnDcl3u0WRgd3ctv9d40=
>
>
> ;; RRSIG of the DNSKEYset that signs the RRset to chase:
> toke.dk.                43200   IN      RRSIG   DNSKEY 5 2 43200 20140311112400 20140209112400 22551 toke.dk. CzZARTabg0VR00Ksv0Uz+qRqRvl06fTTZHa0k17Ccg7JdrvsnZ5DgJKy dhM7j3Rb4LHfZbcoTXXABICCvSQnoQ==
> toke.dk.                43200   IN      RRSIG   DNSKEY 5 2 43200 20140311112400 20140209112400 65122 toke.dk. Q9OqTdh4s3aGn9ExkTnYwPk8j+V9cTjEjLGXD8zY5l0HewORrqJT5Ebn R0YvK/xH/2XLnueAZ/q8khlSfjhFzA==
>
>
> ;; DSset of the DNSKEYset
> toke.dk.                86400   IN      DS      65122 5 1 A6FEBBA66365D55C97F8671688AD52883AB582A6
>
>
> ;; RRSIG of the DSset of the DNSKEYset
> toke.dk.                86400   IN      RRSIG   DS 8 2 86400 20140308183226 20140208200232 61294 dk. thrq3zR+toPNxDln/H/qWBJbjkNK8/NosI6oriQBPXzzcd6HzOdg7l67 kbmje94nwOysKIMCz/YiNjmnEfa7X0NorTZ+e3HOyTRG+NpyQoywgxvj TAFDGuu8hsussW+ohheb0efhX4/0YSamSsSBeAImPYWTdUQY10U0sXDq BCE=
>
>
>
>
> ;; WE HAVE MATERIAL, WE NOW DO VALIDATION
> ;; VERIFYING CNAME RRset for files.toke.dk. with DNSKEY:22551: success
> ;; OK We found DNSKEY (or more) to validate the RRset
> ;; Now, we are going to validate this DNSKEY by the DS
> ;; OK a DS valids a DNSKEY in the RRset
> ;; Now verify that this DNSKEY validates the DNSKEY RRset
> ;; VERIFYING DNSKEY RRset for toke.dk. with DNSKEY:65122: success
> ;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, thus the DNSKEY validates the RRset
> ;; Now, we want to validate the DS :  recursive call
>
>
> Launch a query to find a RRset of type DNSKEY for zone: dk.
> ;; NO ANSWERS: no more
>
> ;; DNSKEY is missing to continue validation: FAILED
>
>
> -Toke
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>



-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html



More information about the Cerowrt-devel mailing list