error (broken trust chain) resolving

Brian J. Murrell brian at interlinx.bc.ca
Wed Nov 10 14:12:58 UTC 2010 

Casey Deccio <casey <at> deccio.net> writes:
> 
> On Tue, Nov 9, 2010 at 8:10 PM, Brian J. Murrell <brian <at> interlinx.bc.ca> 
wrote:
> > $ dig @linux -p 1053 41.70.55.206.sa-trusted.bondedsender.org txt

Doh!  I forgot the +dnssec.

> What happens when you run the following queries:
> 
> dig +dnssec @linux -p 1053 org SOA
>  
> Do you get a NOERROR response with the AD bit set?

Yup:

$ dig +dnssec @linux -p 1053 org SOA

; <<>> DiG 9.7.1-P2 <<>> +dnssec @linux -p 1053 org SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44657
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;org.				IN	SOA

;; ANSWER SECTION:
org.			670	IN	SOA	a0.org.afilias-nst.info. 
noc.afilias-nst.info. 2009390492 1800 900 604800 86400
org.			670	IN	RRSIG	SOA 7 1 900 20101124135902 
20101110125902 61598 org. 
cqufQ6aorG5AeM7mFR/lwm9TnLwdK9PjTH36lEo4fYBk5jH+sgLM17rG 
wZD6c4/ZZHuT4ZvcQMa6pR1CgEtBLq1YAIT5zl0ncWs2pbyS2BFr35k5 
B9thalfcHAGXFATzCFcVzQTVBSFy5QDPMuHpz2LTvaFc0xiE6sGqF+Fr Q14=

;; AUTHORITY SECTION:
org.			86175	IN	NS	a2.org.afilias-nst.info.
org.			86175	IN	NS	b0.org.afilias-nst.org.
org.			86175	IN	NS	a0.org.afilias-nst.info.
org.			86175	IN	NS	d0.org.afilias-nst.org.
org.			86175	IN	NS	c0.org.afilias-nst.info.
org.			86175	IN	NS	b2.org.afilias-nst.org.
org.			86175	IN	RRSIG	NS 7 1 86400 20101123154737 
20101109144737 61598 org. 
KncVCF0Fbp56Cf7xW376cEuGnNL/G19WM0GfXhWwWHuWKn2HDjx7OJMi 
a0OYeoo/KlUn0pO0ORgT96vurhOkweEfdZXnpdPRRHBStfmpFZYD9wxG 
FiyGounAQuso/EWSZhmwHXsFieElBQ8+J8sKY+EDo4K92uCZ5QtQAI6S 7m8=

;; Query time: 2 msec
;; SERVER: 10.75.22.3#1053(10.75.22.3)
;; WHEN: Wed Nov 10 09:02:03 2010
;; MSG SIZE  rcvd: 536
 
> dig +dnssec @linux -p 1053 bondedsender.org DS
> 
> Do you get a NOERROR response with AD bit

No AD bit set, however...

> set and NSEC3 RRs and their
> covering RRSIGs?

I do get NSEC3 and RRSIG RRs:

; <<>> DiG 9.7.1-P2 <<>> +dnssec @linux -p 1053 bondedsender.org DS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18923
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;bondedsender.org.		IN	DS

;; AUTHORITY SECTION:
org.			590	IN	SOA	a0.org.afilias-nst.info. 
noc.afilias-nst.info. 2009390497 1800 900 604800 86400
org.			590	IN	RRSIG	SOA 7 1 900 20101124140403 
20101110130403 61598 org. 
C92vKu2HbiWyt+hgBJD5Arj4egcuL197n0AQWgnKPMQ+XdG90tGG0/5h 
81dQZI/xKQQsoTA5I4oKa9qspxXqC1T1Ej7bBzFqnSrgVDpv1fI/GvIt 
UWbxYL888sn9XE/IP/tHWsbY6aIoSsheYTdJP0oOuunVMkF+i4c25c0v 9Yo=
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 590 IN RRSIG NSEC3 7 2 86400 
20101124140403 20101110130403 61598 org. 
qUeV9GSkAD4cY9ftHxclrhrX9tzzZmUJSDXgDab78x8DoBFZ9LNKg+jG 
Yvqqbk0CqOxAJKE7CGDV6WzcsBQJCdM1+3r3+L660i6jIgubxMwGpWc0 
C/GXRhtYZXOuAHpVI0gHPCSoQzLqYU+QxxBepgOUUxSnLS4Zx7tftpqI zAg=
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 590 IN NSEC3 1 1 1 D399EAAB 
H9PLJ7JCGLSRA48965QFJNJ3D0HC4FP5 NS SOA RRSIG DNSKEY NSEC3PARAM
t2ei86koq1j2hk8c8m677mgc115vgvu8.org. 590 IN RRSIG NSEC3 7 2 86400 
20101124010350 20101110000350 61598 org. 
MLy2iRpF6yKCUfcb0zxow1Dn6ky7BaZQrMZCHsfbFOsV7p5fI13JQJ2r 
ihceyFt5G3VcJrnzm5E51YVlKKFEJmHIwaTUdHDTcBznqzOk+s3xm1iC 
o3cBgrMMEOOQwsX7sVMHLg9NuQ395lq2GZtOrvYZWAEpCU9dOmqcSbFO 2+M=
t2ei86koq1j2hk8c8m677mgc115vgvu8.org. 590 IN NSEC3 1 1 1 D399EAAB 
T2GH7ROARI9U6G24CR9QK4J52L88HKPV

;; Query time: 3993 msec
;; SERVER: 10.75.22.3#1053(10.75.22.3)
;; WHEN: Wed Nov 10 09:03:23 2010
;; MSG SIZE  rcvd: 756

The above produced the following in the bind debug log [ sorry for all the line 
wrapping.  Stupid gmane enforces that ]:

dnssec: validating @0x20fc49b0: bondedsender.org DS: starting
dnssec: validating @0x20fc49b0: bondedsender.org DS: attempting negative 
response validation
dnssec: validating @0x20fc49b0: bondedsender.org DS: nsecvalidate: creating 
validator for org SOA
dnssec:   validating @0x20fc7b98: org SOA: starting
dnssec:   validating @0x20fc7b98: org SOA: attempting positive response 
validation
dnssec:   validating @0x20fc7b98: org SOA: keyset with trust 8
dnssec:   validating @0x20fc7b98: org SOA: verify rdataset (keyid=61598): 
success
dnssec:   validating @0x20fc7b98: org SOA: marking as secure, noqname proof not 
needed
dnssec:   validator @0x20fc7b98: dns_validator_destroy
dnssec: validating @0x20fc49b0: bondedsender.org DS: in authvalidated
dnssec: validating @0x20fc49b0: bondedsender.org DS: resuming nsecvalidate
dnssec: validating @0x20fc49b0: bondedsender.org DS: nsecvalidate: creating 
validator for h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org NSEC3
dnssec:   validating @0x20fc7b98: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org NSEC3: 
starting
dnssec:   validating @0x20fc7b98: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org NSEC3: 
attempting positive response validation
dnssec:   validating @0x20fc7b98: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org NSEC3: 
keyset with trust 8
dnssec:   validating @0x20fc7b98: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org NSEC3: 
verify rdataset (keyid=61598): success
dnssec:   validating @0x20fc7b98: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org NSEC3: 
marking as secure, noqname proof not needed
dnssec:   validator @0x20fc7b98: dns_validator_destroy
dnssec: validating @0x20fc49b0: bondedsender.org DS: in authvalidated
dnssec: validating @0x20fc49b0: bondedsender.org DS: resuming nsecvalidate
dnssec: validating @0x20fc49b0: bondedsender.org DS: nsecvalidate: creating 
validator for t2ei86koq1j2hk8c8m677mgc115vgvu8.org NSEC3
dnssec:   validating @0x20fc7b98: t2ei86koq1j2hk8c8m677mgc115vgvu8.org NSEC3: 
starting
dnssec:   validating @0x20fc7b98: t2ei86koq1j2hk8c8m677mgc115vgvu8.org NSEC3: 
attempting positive response validation
dnssec:   validating @0x20fc7b98: t2ei86koq1j2hk8c8m677mgc115vgvu8.org NSEC3: 
keyset with trust 8
dnssec:   validating @0x20fc7b98: t2ei86koq1j2hk8c8m677mgc115vgvu8.org NSEC3: 
verify rdataset (keyid=61598): success
dnssec:   validating @0x20fc7b98: t2ei86koq1j2hk8c8m677mgc115vgvu8.org NSEC3: 
marking as secure, noqname proof not needed
dnssec:   validator @0x20fc7b98: dns_validator_destroy
dnssec: validating @0x20fc49b0: bondedsender.org DS: in authvalidated
dnssec: validating @0x20fc49b0: bondedsender.org DS: resuming nsecvalidate
dnssec: validating @0x20fc49b0: bondedsender.org DS: looking for relevant NSEC3
dnssec: validating @0x20fc49b0: bondedsender.org DS: looking for relevant NSEC3
dnssec: validating @0x20fc49b0: bondedsender.org DS: looking for relevant NSEC3
dnssec: validating @0x20fc49b0: bondedsender.org DS: NSEC3 indicates potential 
closest encloser: 'org'
dnssec: validating @0x20fc49b0: bondedsender.org DS: NSEC3 at super-domain org
dnssec: validating @0x20fc49b0: bondedsender.org DS: looking for relevant NSEC3
dnssec: validating @0x20fc49b0: bondedsender.org DS: NSEC3 proves name does not 
exist: 'bondedsender.org'
dnssec: validating @0x20fc49b0: bondedsender.org DS: NSEC3 indicates optout
dnssec: validating @0x20fc49b0: bondedsender.org DS: in checkwildcard: *.org
dnssec: validating @0x20fc49b0: bondedsender.org DS: looking for relevant NSEC3
dnssec: validating @0x20fc49b0: bondedsender.org DS: NSEC3 at super-domain org
dnssec: validating @0x20fc49b0: bondedsender.org DS: looking for relevant NSEC3
dnssec: validating @0x20fc49b0: bondedsender.org DS: in checkwildcard: *.org
dnssec: validating @0x20fc49b0: bondedsender.org DS: nonexistence proof(s) found
dnssec: validator @0x20fc49b0: dns_validator_destroy
dnssec: validating @0x20fc49b0: 94.114.201.117.in-addr.arpa PTR: starting
dnssec: validating @0x20fc49b0: 94.114.201.117.in-addr.arpa PTR: attempting 
negative response validation
dnssec: validating @0x20fc49b0: 94.114.201.117.in-addr.arpa PTR: nsecvalidate: 
creating validator for 117.in-addr.arpa SOA
dnssec:   validating @0x20fc7b98: 117.in-addr.arpa SOA: starting
dnssec:   validating @0x20fc7b98: 117.in-addr.arpa SOA: attempting positive 
response validation
dnssec:   validating @0x20fc7b98: 117.in-addr.arpa SOA: get_key: creating fetch 
for 117.in-addr.arpa DNSKEY
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: starting
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: looking for DLV
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: plain DNSSEC returns 
unsecure (.): looking for DLV
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: looking for DLV 117.in-
addr.arpa.dlv.isc.org
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: DNS_R_COVERINGNSEC
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: covering nsec: not in 
range
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: finddlvsep: creating 
fetch for 117.in-addr.arpa.dlv.isc.org DLV
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: DLV lookup: wait
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: starting
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: attempting 
negative response validation
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: nsecvalidate: 
creating validator for dlv.isc.org SOA
dnssec:   validating @0x21472f58: dlv.isc.org SOA: starting
dnssec:   validating @0x21472f58: dlv.isc.org SOA: attempting positive response 
validation
dnssec:   validating @0x21472f58: dlv.isc.org SOA: keyset with trust 8
dnssec:   validating @0x21472f58: dlv.isc.org SOA: verify rdataset 
(keyid=64263): success
dnssec:   validating @0x21472f58: dlv.isc.org SOA: marking as secure, noqname 
proof not needed
dnssec:   validator @0x21472f58: dns_validator_destroy
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: in 
authvalidated
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: resuming 
nsecvalidate
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: nsecvalidate: 
creating validator for 6.12.174.109.in-addr.arpa.dlv.isc.org NSEC
dnssec:   validating @0x21472f58: 6.12.174.109.in-addr.arpa.dlv.isc.org NSEC: 
starting
dnssec:   validating @0x21472f58: 6.12.174.109.in-addr.arpa.dlv.isc.org NSEC: 
attempting positive response validation
dnssec:   validating @0x21472f58: 6.12.174.109.in-addr.arpa.dlv.isc.org NSEC: 
keyset with trust 8
dnssec:   validating @0x21472f58: 6.12.174.109.in-addr.arpa.dlv.isc.org NSEC: 
verify rdataset (keyid=64263): success
dnssec:   validating @0x21472f58: 6.12.174.109.in-addr.arpa.dlv.isc.org NSEC: 
marking as secure, noqname proof not needed
dnssec:   validator @0x21472f58: dns_validator_destroy
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: in 
authvalidated
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: looking for 
relevant nsec
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: nsec range ok
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: resuming 
nsecvalidate
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: nsecvalidate: 
creating validator for 0.3.0.2.9.2.3.1.2.7.9.4.e164.arpa.dlv.isc.org NSEC
dnssec:   validating @0x21471f50: 0.3.0.2.9.2.3.1.2.7.9.4.e164.arpa.dlv.isc.org 
NSEC: starting
dnssec:   validating @0x21471f50: 0.3.0.2.9.2.3.1.2.7.9.4.e164.arpa.dlv.isc.org 
NSEC: attempting positive response validation
dnssec:   validating @0x21471f50: 0.3.0.2.9.2.3.1.2.7.9.4.e164.arpa.dlv.isc.org 
NSEC: keyset with trust 8
dnssec:   validating @0x21471f50: 0.3.0.2.9.2.3.1.2.7.9.4.e164.arpa.dlv.isc.org 
NSEC: verify rdataset (keyid=64263): success
dnssec:   validating @0x21471f50: 0.3.0.2.9.2.3.1.2.7.9.4.e164.arpa.dlv.isc.org 
NSEC: marking as secure, noqname proof not needed
dnssec:   validator @0x21471f50: dns_validator_destroy
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: in 
authvalidated
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: resuming 
nsecvalidate
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: in 
checkwildcard: *.in-addr.arpa.dlv.isc.org
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: looking for 
relevant nsec
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: NSEC does not 
cover name, before NSEC
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: looking for 
relevant nsec
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: nsec range ok
dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: nonexistence 
proof(s) found
dnssec: validator @0x2146b048: dns_validator_destroy
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: in dlvfetched: ncache 
nxdomain
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: looking for DLV in-
addr.arpa.dlv.isc.org
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: looking for DLV 
arpa.dlv.isc.org
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: DLV arpa found
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: dlv_validator_start
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: restarting using DLV
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: attempting positive 
response validation
dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: validatezonekey: 
creating fetch for 117.in-addr.arpa DS

b.

More information about the bind-users mailing list