[Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.
Simon Kelley
simon at thekelleys.org.uk
Mon Feb 10 16:47:02 EST 2014
On 10/02/14 17:14, Dave Taht wrote:
> Yea! I am under the impression that still missing functionality is nsec3?
The trace below reveals another problem, but that's fixed now.
NSEC3 remains to be done.
I'm still in a quandary about stripping DNSSEC information from upstream
answers when the question doesn't set the DO bit. Strictly that's a MUST
in the RFC, but my judgement is doing it is more likely to cause
problems ('cos it's difficult to do robustly),
I've just had doubts about trust anchors, see separate mail.
>
> Is the local-to-dnsmasq domain signable?
No.
Cheers,
Simon.
>
> On Mon, Feb 10, 2014 at 8:59 AM, Toke Høiland-Jørgensen<toke at toke.dk> wrote:
>> Simon Kelley<simon at thekelleys.org.uk> writes:
>>
>>> OK. Fix (I think), in git now. Please could you test? (A byte-order problem,
>>> inevitably).
>>
>> Yay, seems to work:
>>
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: query[A] files.toke.dk from 10.42.0.7
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk to 213.80.98.3
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk to 213.80.98.2
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DNSKEY] toke.dk to 213.80.98.2
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DS] toke.dk to 213.80.98.2
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DNSKEY] dk to 213.80.98.2
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DS] dk to 213.80.98.2
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DS keytag 26887
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY keytag 26887
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY keytag 7665
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY keytag 61294
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY keytag 31369
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply toke.dk is DS keytag 65122
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply toke.dk is DNSKEY keytag 65122
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply toke.dk is DNSKEY keytag 22551
>> Mon Feb 10 17:55:47 2014 daemon.err dnsmasq[11296]: Unexpected missing data for DNSSEC validation
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: validation result is INSECURE
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply files.toke.dk is<CNAME>
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply web2.tohojo.dk is 144.76.141.113
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: query[AAAA] files.toke.dk from 10.42.0.7
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: cached files.toke.dk is<CNAME>
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk to 213.80.98.2
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DNSKEY] tohojo.dk to 213.80.98.2
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DS] tohojo.dk to 213.80.98.2
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply tohojo.dk is DS keytag 49471
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply tohojo.dk is DNSKEY keytag 49471
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply tohojo.dk is DNSKEY keytag 30141
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: validation result is SECURE
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply files.toke.dk is<CNAME>
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply web2.tohojo.dk is 2a01:4f8:200:3141::102
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: query[MX] files.toke.dk from 10.42.0.7
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk to 213.80.98.2
>> Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: validation result is SECURE
>>
>>
>> Dunno why it starts out insecure (?), but seems to get to the right
>> place.
>>
>> Can also do sigchase:
>>
>> $ dig +sigchase files.toke.dk @10.42.0.8
>> ...snip...
>>
>>
>> Launch a query to find a RRset of type DS for zone: .
>> ;; NO ANSWERS: no more
>>
>> ;; WARNING There is no DS for the zone: .
>>
>>
>>
>> ;; WE HAVE MATERIAL, WE NOW DO VALIDATION
>> ;; VERIFYING DS RRset for dk. with DNSKEY:33655: success
>> ;; OK We found DNSKEY (or more) to validate the RRset
>> ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036
>> ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success
>>
>> ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS
>>
>>
>>
>> But not +trace:
>>
>> $ dig +trace +sigchase files.toke.dk @10.42.0.8
>>
>> ;<<>> DiG 9.9.2-P2<<>> +trace +sigchase files.toke.dk @10.42.0.8
>> ;; global options: +cmd
>> . 86891 IN NS d.root-servers.net.
>> . 86891 IN NS l.root-servers.net.
>> . 86891 IN NS h.root-servers.net.
>> . 86891 IN NS j.root-servers.net.
>> . 86891 IN NS b.root-servers.net.
>> . 86891 IN NS m.root-servers.net.
>> . 86891 IN NS k.root-servers.net.
>> . 86891 IN NS f.root-servers.net.
>> . 86891 IN NS e.root-servers.net.
>> . 86891 IN NS g.root-servers.net.
>> . 86891 IN NS a.root-servers.net.
>> . 86891 IN NS c.root-servers.net.
>> . 86891 IN NS i.root-servers.net.
>> . 325955 IN RRSIG NS 8 0 518400 20140215000000 20140207230000 33655 . cZOSrkiewfX+HdA2covOiYL+Z8xgBoCpJm4VZq083M51CvIFBipG1/BO JYYiRzmpQJN/l6FI5RBKmDVFq/RqkVineoIYrsIZL9RRcAF+phPO+kHU YU3ckdHZroDZCu1QUPd+Kr6Y8+9GBH8wYM++0Z6tLRA+iZXbNOadfZ9o euU=
>> dk. 172800 IN NS l.nic.dk.
>> dk. 172800 IN NS p.nic.dk.
>> dk. 172800 IN NS s.nic.dk.
>> dk. 172800 IN NS b.nic.dk.
>> dk. 172800 IN NS c.nic.dk.
>> dk. 172800 IN NS a.nic.dk.
>> dk. 86400 IN DS 26887 8 2 A1AB8546B80E438A7DFE0EC559A7088EC5AED3C4E0D26B1B60ED3735 F853DFD7
>> dk. 86400 IN RRSIG DS 8 1 86400 20140217000000 20140209230000 33655 . aK1OgJzktVeo2i83KdOig62wyqkxcQmbbQePi4T7zI4OhPzI5LMz9kbS W/V7bOgNBfYBjDJg4JEYIAC0esCrGPtbAsKQ7YrKiZikNAhlD/BgTvtD JQJxc+7f4xUa6Y7/9DBKmG8Du+DftF99RngT/hCgr9hZme9YkvtGaEyo CZI=
>> toke.dk. 86400 IN NS ns2.gratisdns.dk.
>> toke.dk. 86400 IN NS ns1.gratisdns.dk.
>> toke.dk. 86400 IN NS ns4.gratisdns.dk.
>> toke.dk. 86400 IN NS ns5.gratisdns.dk.
>> toke.dk. 86400 IN NS ns3.gratisdns.dk.
>> toke.dk. 86400 IN DS 65122 5 1 A6FEBBA66365D55C97F8671688AD52883AB582A6
>> toke.dk. 86400 IN RRSIG DS 8 2 86400 20140308183226 20140208200232 61294 dk. thrq3zR+toPNxDln/H/qWBJbjkNK8/NosI6oriQBPXzzcd6HzOdg7l67 kbmje94nwOysKIMCz/YiNjmnEfa7X0NorTZ+e3HOyTRG+NpyQoywgxvj TAFDGuu8hsussW+ohheb0efhX4/0YSamSsSBeAImPYWTdUQY10U0sXDq BCE=
>> files.toke.dk. 43200 IN CNAME web2.tohojo.dk.
>> files.toke.dk. 43200 IN RRSIG CNAME 5 3 43200 20140311112400 20140209112400 22551 toke.dk. ObiMhHqVUSxsje4979EzuiDoCt7z1r1Gl946gmY9ZDe7Es+7jg1l7m8/ vyVhPDRxqNxEAsTmFXF6mkwKkK60ag==
>> ;; RRset to chase:
>> files.toke.dk. 43200 IN CNAME web2.tohojo.dk.
>>
>>
>> ;; RRSIG of the RRset to chase:
>> files.toke.dk. 43200 IN RRSIG CNAME 5 3 43200 20140311112400 20140209112400 22551 toke.dk. ObiMhHqVUSxsje4979EzuiDoCt7z1r1Gl946gmY9ZDe7Es+7jg1l7m8/ vyVhPDRxqNxEAsTmFXF6mkwKkK60ag==
>>
>>
>>
>> Launch a query to find a RRset of type DNSKEY for zone: toke.dk.
>> toke.dk. 43200 IN DNSKEY 256 3 5 AwEAAaYKHaUARHUtPhVTEC6vTc0SR142BVj1P/wtgCjacCkGDN5wB6Cm Y0xEwUl+NuT9btz0xQmDGOMJEKunK+HpOh0=
>> toke.dk. 43200 IN DNSKEY 257 3 5 AwEAAdV59e0KX1JymujkIbzikKCEVSExW3ixJ81hiboCHSvZv+LlMxlG sWT6uJrcEOENF+fZnDcl3u0WRgd3ctv9d40=
>> toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 20140311112400 20140209112400 22551 toke.dk. CzZARTabg0VR00Ksv0Uz+qRqRvl06fTTZHa0k17Ccg7JdrvsnZ5DgJKy dhM7j3Rb4LHfZbcoTXXABICCvSQnoQ==
>> toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 20140311112400 20140209112400 65122 toke.dk. Q9OqTdh4s3aGn9ExkTnYwPk8j+V9cTjEjLGXD8zY5l0HewORrqJT5Ebn R0YvK/xH/2XLnueAZ/q8khlSfjhFzA==
>>
>> ;; DNSKEYset that signs the RRset to chase:
>> toke.dk. 43200 IN DNSKEY 256 3 5 AwEAAaYKHaUARHUtPhVTEC6vTc0SR142BVj1P/wtgCjacCkGDN5wB6Cm Y0xEwUl+NuT9btz0xQmDGOMJEKunK+HpOh0=
>> toke.dk. 43200 IN DNSKEY 257 3 5 AwEAAdV59e0KX1JymujkIbzikKCEVSExW3ixJ81hiboCHSvZv+LlMxlG sWT6uJrcEOENF+fZnDcl3u0WRgd3ctv9d40=
>>
>>
>> ;; RRSIG of the DNSKEYset that signs the RRset to chase:
>> toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 20140311112400 20140209112400 22551 toke.dk. CzZARTabg0VR00Ksv0Uz+qRqRvl06fTTZHa0k17Ccg7JdrvsnZ5DgJKy dhM7j3Rb4LHfZbcoTXXABICCvSQnoQ==
>> toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 20140311112400 20140209112400 65122 toke.dk. Q9OqTdh4s3aGn9ExkTnYwPk8j+V9cTjEjLGXD8zY5l0HewORrqJT5Ebn R0YvK/xH/2XLnueAZ/q8khlSfjhFzA==
>>
>>
>> ;; DSset of the DNSKEYset
>> toke.dk. 86400 IN DS 65122 5 1 A6FEBBA66365D55C97F8671688AD52883AB582A6
>>
>>
>> ;; RRSIG of the DSset of the DNSKEYset
>> toke.dk. 86400 IN RRSIG DS 8 2 86400 20140308183226 20140208200232 61294 dk. thrq3zR+toPNxDln/H/qWBJbjkNK8/NosI6oriQBPXzzcd6HzOdg7l67 kbmje94nwOysKIMCz/YiNjmnEfa7X0NorTZ+e3HOyTRG+NpyQoywgxvj TAFDGuu8hsussW+ohheb0efhX4/0YSamSsSBeAImPYWTdUQY10U0sXDq BCE=
>>
>>
>>
>>
>> ;; WE HAVE MATERIAL, WE NOW DO VALIDATION
>> ;; VERIFYING CNAME RRset for files.toke.dk. with DNSKEY:22551: success
>> ;; OK We found DNSKEY (or more) to validate the RRset
>> ;; Now, we are going to validate this DNSKEY by the DS
>> ;; OK a DS valids a DNSKEY in the RRset
>> ;; Now verify that this DNSKEY validates the DNSKEY RRset
>> ;; VERIFYING DNSKEY RRset for toke.dk. with DNSKEY:65122: success
>> ;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, thus the DNSKEY validates the RRset
>> ;; Now, we want to validate the DS : recursive call
>>
>>
>> Launch a query to find a RRset of type DNSKEY for zone: dk.
>> ;; NO ANSWERS: no more
>>
>> ;; DNSKEY is missing to continue validation: FAILED
>>
>>
>> -Toke
>>
>> _______________________________________________
>> Cerowrt-devel mailing list
>> Cerowrt-devel at lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>>
>
>
>
More information about the Cerowrt-devel
mailing list