error (broken trust chain) resolving
Brian J. Murrell
brian at interlinx.bc.ca
Wed Nov 10 14:12:58 UTC 2010
Casey Deccio <casey <at> deccio.net> writes:
>
> On Tue, Nov 9, 2010 at 8:10 PM, Brian J. Murrell <brian <at> interlinx.bc.ca>
wrote:
> > $ dig @linux -p 1053 41.70.55.206.sa-trusted.bondedsender.org txt
Doh! I forgot the +dnssec.
> What happens when you run the following queries:
>
> dig +dnssec @linux -p 1053 org SOA
>
> Do you get a NOERROR response with the AD bit set?
Yup:
$ dig +dnssec @linux -p 1053 org SOA
; <<>> DiG 9.7.1-P2 <<>> +dnssec @linux -p 1053 org SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44657
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;org. IN SOA
;; ANSWER SECTION:
org. 670 IN SOA a0.org.afilias-nst.info.
noc.afilias-nst.info. 2009390492 1800 900 604800 86400
org. 670 IN RRSIG SOA 7 1 900 20101124135902
20101110125902 61598 org.
cqufQ6aorG5AeM7mFR/lwm9TnLwdK9PjTH36lEo4fYBk5jH+sgLM17rG
wZD6c4/ZZHuT4ZvcQMa6pR1CgEtBLq1YAIT5zl0ncWs2pbyS2BFr35k5
B9thalfcHAGXFATzCFcVzQTVBSFy5QDPMuHpz2LTvaFc0xiE6sGqF+Fr Q14=
;; AUTHORITY SECTION:
org. 86175 IN NS a2.org.afilias-nst.info.
org. 86175 IN NS b0.org.afilias-nst.org.
org. 86175 IN NS a0.org.afilias-nst.info.
org. 86175 IN NS d0.org.afilias-nst.org.
org. 86175 IN NS c0.org.afilias-nst.info.
org. 86175 IN NS b2.org.afilias-nst.org.
org. 86175 IN RRSIG NS 7 1 86400 20101123154737
20101109144737 61598 org.
KncVCF0Fbp56Cf7xW376cEuGnNL/G19WM0GfXhWwWHuWKn2HDjx7OJMi
a0OYeoo/KlUn0pO0ORgT96vurhOkweEfdZXnpdPRRHBStfmpFZYD9wxG
FiyGounAQuso/EWSZhmwHXsFieElBQ8+J8sKY+EDo4K92uCZ5QtQAI6S 7m8=
;; Query time: 2 msec
;; SERVER: 10.75.22.3#1053(10.75.22.3)
;; WHEN: Wed Nov 10 09:02:03 2010
;; MSG SIZE rcvd: 536
> dig +dnssec @linux -p 1053 bondedsender.org DS
>
> Do you get a NOERROR response with AD bit
No AD bit set, however...
> set and NSEC3 RRs and their
> covering RRSIGs?
I do get NSEC3 and RRSIG RRs:
; <<>> DiG 9.7.1-P2 <<>> +dnssec @linux -p 1053 bondedsender.org DS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18923
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;bondedsender.org. IN DS
;; AUTHORITY SECTION:
org. 590 IN SOA a0.org.afilias-nst.info.
noc.afilias-nst.info. 2009390497 1800 900 604800 86400
org. 590 IN RRSIG SOA 7 1 900 20101124140403
20101110130403 61598 org.
C92vKu2HbiWyt+hgBJD5Arj4egcuL197n0AQWgnKPMQ+XdG90tGG0/5h
81dQZI/xKQQsoTA5I4oKa9qspxXqC1T1Ej7bBzFqnSrgVDpv1fI/GvIt
UWbxYL888sn9XE/IP/tHWsbY6aIoSsheYTdJP0oOuunVMkF+i4c25c0v 9Yo=
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 590 IN RRSIG NSEC3 7 2 86400
20101124140403 20101110130403 61598 org.
qUeV9GSkAD4cY9ftHxclrhrX9tzzZmUJSDXgDab78x8DoBFZ9LNKg+jG
Yvqqbk0CqOxAJKE7CGDV6WzcsBQJCdM1+3r3+L660i6jIgubxMwGpWc0
C/GXRhtYZXOuAHpVI0gHPCSoQzLqYU+QxxBepgOUUxSnLS4Zx7tftpqI zAg=
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 590 IN NSEC3 1 1 1 D399EAAB
H9PLJ7JCGLSRA48965QFJNJ3D0HC4FP5 NS SOA RRSIG DNSKEY NSEC3PARAM
t2ei86koq1j2hk8c8m677mgc115vgvu8.org. 590 IN RRSIG NSEC3 7 2 86400
20101124010350 20101110000350 61598 org.
MLy2iRpF6yKCUfcb0zxow1Dn6ky7BaZQrMZCHsfbFOsV7p5fI13JQJ2r
ihceyFt5G3VcJrnzm5E51YVlKKFEJmHIwaTUdHDTcBznqzOk+s3xm1iC
o3cBgrMMEOOQwsX7sVMHLg9NuQ395lq2GZtOrvYZWAEpCU9dOmqcSbFO 2+M=
t2ei86koq1j2hk8c8m677mgc115vgvu8.org. 590 IN NSEC3 1 1 1 D399EAAB
T2GH7ROARI9U6G24CR9QK4J52L88HKPV
;; Query time: 3993 msec
;; SERVER: 10.75.22.3#1053(10.75.22.3)
;; WHEN: Wed Nov 10 09:03:23 2010
;; MSG SIZE rcvd: 756
The above produced the following in the bind debug log [ sorry for all the line
wrapping. Stupid gmane enforces that ]:
dnssec: validating @0x20fc49b0: bondedsender.org DS: starting
dnssec: validating @0x20fc49b0: bondedsender.org DS: attempting negative
response validation
dnssec: validating @0x20fc49b0: bondedsender.org DS: nsecvalidate: creating
validator for org SOA
dnssec: validating @0x20fc7b98: org SOA: starting
dnssec: validating @0x20fc7b98: org SOA: attempting positive response
validation
dnssec: validating @0x20fc7b98: org SOA: keyset with trust 8
dnssec: validating @0x20fc7b98: org SOA: verify rdataset (keyid=61598):
success
dnssec: validating @0x20fc7b98: org SOA: marking as secure, noqname proof not
needed
dnssec: validator @0x20fc7b98: dns_validator_destroy
dnssec: validating @0x20fc49b0: bondedsender.org DS: in authvalidated
dnssec: validating @0x20fc49b0: bondedsender.org DS: resuming nsecvalidate
dnssec: validating @0x20fc49b0: bondedsender.org DS: nsecvalidate: creating
validator for h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org NSEC3
dnssec: validating @0x20fc7b98: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org NSEC3:
starting
dnssec: validating @0x20fc7b98: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org NSEC3:
attempting positive response validation
dnssec: validating @0x20fc7b98: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org NSEC3:
keyset with trust 8
dnssec: validating @0x20fc7b98: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org NSEC3:
verify rdataset (keyid=61598): success
dnssec: validating @0x20fc7b98: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org NSEC3:
marking as secure, noqname proof not needed
dnssec: validator @0x20fc7b98: dns_validator_destroy
dnssec: validating @0x20fc49b0: bondedsender.org DS: in authvalidated
dnssec: validating @0x20fc49b0: bondedsender.org DS: resuming nsecvalidate
dnssec: validating @0x20fc49b0: bondedsender.org DS: nsecvalidate: creating
validator for t2ei86koq1j2hk8c8m677mgc115vgvu8.org NSEC3
dnssec: validating @0x20fc7b98: t2ei86koq1j2hk8c8m677mgc115vgvu8.org NSEC3:
starting
dnssec: validating @0x20fc7b98: t2ei86koq1j2hk8c8m677mgc115vgvu8.org NSEC3:
attempting positive response validation
dnssec: validating @0x20fc7b98: t2ei86koq1j2hk8c8m677mgc115vgvu8.org NSEC3:
keyset with trust 8
dnssec: validating @0x20fc7b98: t2ei86koq1j2hk8c8m677mgc115vgvu8.org NSEC3:
verify rdataset (keyid=61598): success
dnssec: validating @0x20fc7b98: t2ei86koq1j2hk8c8m677mgc115vgvu8.org NSEC3:
marking as secure, noqname proof not needed
dnssec: validator @0x20fc7b98: dns_validator_destroy
dnssec: validating @0x20fc49b0: bondedsender.org DS: in authvalidated
dnssec: validating @0x20fc49b0: bondedsender.org DS: resuming nsecvalidate
dnssec: validating @0x20fc49b0: bondedsender.org DS: looking for relevant NSEC3
dnssec: validating @0x20fc49b0: bondedsender.org DS: looking for relevant NSEC3
dnssec: validating @0x20fc49b0: bondedsender.org DS: looking for relevant NSEC3
dnssec: validating @0x20fc49b0: bondedsender.org DS: NSEC3 indicates potential
closest encloser: 'org'
dnssec: validating @0x20fc49b0: bondedsender.org DS: NSEC3 at super-domain org
dnssec: validating @0x20fc49b0: bondedsender.org DS: looking for relevant NSEC3
dnssec: validating @0x20fc49b0: bondedsender.org DS: NSEC3 proves name does not
exist: 'bondedsender.org'
dnssec: validating @0x20fc49b0: bondedsender.org DS: NSEC3 indicates optout
dnssec: validating @0x20fc49b0: bondedsender.org DS: in checkwildcard: *.org
dnssec: validating @0x20fc49b0: bondedsender.org DS: looking for relevant NSEC3
dnssec: validating @0x20fc49b0: bondedsender.org DS: NSEC3 at super-domain org
dnssec: validating @0x20fc49b0: bondedsender.org DS: looking for relevant NSEC3
dnssec: validating @0x20fc49b0: bondedsender.org DS: in checkwildcard: *.org
dnssec: validating @0x20fc49b0: bondedsender.org DS: nonexistence proof(s) found
dnssec: validator @0x20fc49b0: dns_validator_destroy
dnssec: validating @0x20fc49b0: 94.114.201.117.in-addr.arpa PTR: starting
dnssec: validating @0x20fc49b0: 94.114.201.117.in-addr.arpa PTR: attempting
negative response validation
dnssec: validating @0x20fc49b0: 94.114.201.117.in-addr.arpa PTR: nsecvalidate:
creating validator for 117.in-addr.arpa SOA
dnssec: validating @0x20fc7b98: 117.in-addr.arpa SOA: starting
dnssec: validating @0x20fc7b98: 117.in-addr.arpa SOA: attempting positive
response validation
dnssec: validating @0x20fc7b98: 117.in-addr.arpa SOA: get_key: creating fetch
for 117.in-addr.arpa DNSKEY
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: starting
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: looking for DLV
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: plain DNSSEC returns
unsecure (.): looking for DLV
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: looking for DLV 117.in-
addr.arpa.dlv.isc.org
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: DNS_R_COVERINGNSEC
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: covering nsec: not in
range
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: finddlvsep: creating
fetch for 117.in-addr.arpa.dlv.isc.org DLV
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: DLV lookup: wait
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: starting
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: attempting
negative response validation
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: nsecvalidate:
creating validator for dlv.isc.org SOA
dnssec: validating @0x21472f58: dlv.isc.org SOA: starting
dnssec: validating @0x21472f58: dlv.isc.org SOA: attempting positive response
validation
dnssec: validating @0x21472f58: dlv.isc.org SOA: keyset with trust 8
dnssec: validating @0x21472f58: dlv.isc.org SOA: verify rdataset
(keyid=64263): success
dnssec: validating @0x21472f58: dlv.isc.org SOA: marking as secure, noqname
proof not needed
dnssec: validator @0x21472f58: dns_validator_destroy
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: in
authvalidated
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: resuming
nsecvalidate
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: nsecvalidate:
creating validator for 6.12.174.109.in-addr.arpa.dlv.isc.org NSEC
dnssec: validating @0x21472f58: 6.12.174.109.in-addr.arpa.dlv.isc.org NSEC:
starting
dnssec: validating @0x21472f58: 6.12.174.109.in-addr.arpa.dlv.isc.org NSEC:
attempting positive response validation
dnssec: validating @0x21472f58: 6.12.174.109.in-addr.arpa.dlv.isc.org NSEC:
keyset with trust 8
dnssec: validating @0x21472f58: 6.12.174.109.in-addr.arpa.dlv.isc.org NSEC:
verify rdataset (keyid=64263): success
dnssec: validating @0x21472f58: 6.12.174.109.in-addr.arpa.dlv.isc.org NSEC:
marking as secure, noqname proof not needed
dnssec: validator @0x21472f58: dns_validator_destroy
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: in
authvalidated
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: looking for
relevant nsec
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: nsec range ok
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: resuming
nsecvalidate
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: nsecvalidate:
creating validator for 0.3.0.2.9.2.3.1.2.7.9.4.e164.arpa.dlv.isc.org NSEC
dnssec: validating @0x21471f50: 0.3.0.2.9.2.3.1.2.7.9.4.e164.arpa.dlv.isc.org
NSEC: starting
dnssec: validating @0x21471f50: 0.3.0.2.9.2.3.1.2.7.9.4.e164.arpa.dlv.isc.org
NSEC: attempting positive response validation
dnssec: validating @0x21471f50: 0.3.0.2.9.2.3.1.2.7.9.4.e164.arpa.dlv.isc.org
NSEC: keyset with trust 8
dnssec: validating @0x21471f50: 0.3.0.2.9.2.3.1.2.7.9.4.e164.arpa.dlv.isc.org
NSEC: verify rdataset (keyid=64263): success
dnssec: validating @0x21471f50: 0.3.0.2.9.2.3.1.2.7.9.4.e164.arpa.dlv.isc.org
NSEC: marking as secure, noqname proof not needed
dnssec: validator @0x21471f50: dns_validator_destroy
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: in
authvalidated
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: resuming
nsecvalidate
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: in
checkwildcard: *.in-addr.arpa.dlv.isc.org
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: looking for
relevant nsec
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: NSEC does not
cover name, before NSEC
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: looking for
relevant nsec
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: nsec range ok
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: nonexistence
proof(s) found
dnssec: validator @0x2146b048: dns_validator_destroy
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: in dlvfetched: ncache
nxdomain
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: looking for DLV in-
addr.arpa.dlv.isc.org
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: looking for DLV
arpa.dlv.isc.org
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: DLV arpa found
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: dlv_validator_start
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: restarting using DLV
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: attempting positive
response validation
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: validatezonekey:
creating fetch for 117.in-addr.arpa DS
b.
More information about the bind-users
mailing list