[nSLUG] DNSSEC configuration

francis picabia fpicabia at gmail.com
Tue Dec 16 14:50:36 AST 2014


On Tue, Dec 16, 2014 at 2:03 PM, Daniel AJ Sokolov <daniel at falco.ca> wrote:
>
> On 2014-12-16 at 12:48, D G Teed wrote:
> > dig badsign-a.test.dnssec-tools.org  +dnssec
>
> vs.
>
> ># dig +dnssec whitehouse.gov
>
> Hi,
>
> I haven't checked the syntax, but maybe the order is important? (+dnssec
> before vs after the domain)
>
>

Thanks for the suggestion.
I've tried with changed argument order and no difference.

I think the option is recognized because otherwise I wouldn't be
seeing the whole RRSIG chunk in the trace.

I set up an option channel for debugging dnssec.

The following shows the log file when doing the lookup
on the dnssec-tools.org subdomain with a bad signature.

# dig badsign-a.test.dnssec-tools.org

Log shows:

16-Dec-2014 14:21:00.285 debug 3: validating @0xb82743d0: . NS: starting
16-Dec-2014 14:21:00.286 debug 3: validating @0xb82743d0: . NS: looking for
DLV
16-Dec-2014 14:21:00.287 debug 3: validating @0xb82743d0: . NS: plain
DNSSEC returns unsecure (.): looking for DLV
16-Dec-2014 14:21:00.287 debug 3: validating @0xb82743d0: . NS: looking for
DLV dlv.isc.org
16-Dec-2014 14:21:00.289 debug 3: validating @0xb82743d0: . NS: DLV lookup:
wait
16-Dec-2014 14:21:00.735 debug 3: validating @0xb82bbd28:
badsign-a.test.dnssec-tools.org A: starting
16-Dec-2014 14:21:00.736 debug 3: validating @0xb82bbd28:
badsign-a.test.dnssec-tools.org A: looking for DLV
16-Dec-2014 14:21:00.736 debug 3: validating @0xb82bbd28:
badsign-a.test.dnssec-tools.org A: plain DNSSEC returns unsecure (.):
looking for DLV
16-Dec-2014 14:21:00.737 debug 3: validating @0xb82bbd28:
badsign-a.test.dnssec-tools.org A: looking for DLV
badsign-a.test.dnssec-tools.org.dlv.isc.org
16-Dec-2014 14:21:00.738 debug 3: validating @0xb82bbd28:
badsign-a.test.dnssec-tools.org A: DLV lookup: wait
16-Dec-2014 14:21:00.806 debug 3: validating @0xb8275208: dlv.isc.org DLV:
starting
16-Dec-2014 14:21:00.807 debug 3: validating @0xb8275208: dlv.isc.org DLV:
attempting negative response validation
16-Dec-2014 14:21:00.808 debug 3:   validating @0xb85035b0: dlv.isc.org
SOA: starting
16-Dec-2014 14:21:00.809 debug 3:   validating @0xb85035b0: dlv.isc.org
SOA: attempting positive response validation
16-Dec-2014 14:21:00.891 debug 3: validating @0xb8514638:
badsign-a.test.dnssec-tools.org.dlv.isc.org DLV: starting
16-Dec-2014 14:21:00.892 debug 3: validating @0xb8514638:
badsign-a.test.dnssec-tools.org.dlv.isc.org DLV: attempting negative
response validation
16-Dec-2014 14:21:00.893 debug 3:   validating @0xb84f6548: dlv.isc.org
SOA: starting
16-Dec-2014 14:21:00.894 debug 3:   validating @0xb84f6548: dlv.isc.org
SOA: attempting positive response validation
16-Dec-2014 14:21:00.911 debug 3: validating @0xb85150b0: dlv.isc.org
DNSKEY: starting
16-Dec-2014 14:21:00.912 debug 3: validating @0xb85150b0: dlv.isc.org
DNSKEY: attempting positive response validation
16-Dec-2014 14:21:00.920 debug 3: validating @0xb85150b0: dlv.isc.org
DNSKEY: verify rdataset (keyid=19297): success
16-Dec-2014 14:21:00.920 debug 3: validating @0xb85150b0: dlv.isc.org
DNSKEY: signed by trusted key; marking as secure
16-Dec-2014 14:21:00.921 debug 3: validator @0xb85150b0:
dns_validator_destroy
16-Dec-2014 14:21:00.922 debug 3:   validating @0xb85035b0: dlv.isc.org
SOA: in fetch_callback_validator
16-Dec-2014 14:21:00.922 debug 3:   validating @0xb85035b0: dlv.isc.org
SOA: keyset with trust 8
16-Dec-2014 14:21:00.923 debug 3:   validating @0xb84f6548: dlv.isc.org
SOA: in fetch_callback_validator
16-Dec-2014 14:21:00.924 debug 3:   validating @0xb85035b0: dlv.isc.org
SOA: resuming validate
16-Dec-2014 14:21:00.925 debug 3:   validating @0xb84f6548: dlv.isc.org
SOA: keyset with trust 8
16-Dec-2014 14:21:00.925 debug 3:   validating @0xb84f6548: dlv.isc.org
SOA: resuming validate
16-Dec-2014 14:21:00.926 debug 3:   validating @0xb85035b0: dlv.isc.org
SOA: verify rdataset (keyid=64263): success
16-Dec-2014 14:21:00.927 debug 3:   validating @0xb85035b0: dlv.isc.org
SOA: marking as secure, noqname proof not needed
16-Dec-2014 14:21:00.928 debug 3:   validating @0xb84f6548: dlv.isc.org
SOA: verify rdataset (keyid=64263): success
16-Dec-2014 14:21:00.928 debug 3:   validator @0xb85035b0:
dns_validator_destroy
16-Dec-2014 14:21:00.929 debug 3:   validating @0xb84f6548: dlv.isc.org
SOA: marking as secure, noqname proof not needed
16-Dec-2014 14:21:00.930 debug 3: validating @0xb8275208: dlv.isc.org DLV:
in authvalidated
16-Dec-2014 14:21:00.930 debug 3:   validator @0xb84f6548:
dns_validator_destroy
16-Dec-2014 14:21:00.931 debug 3: validating @0xb8275208: dlv.isc.org DLV:
resuming nsecvalidate
16-Dec-2014 14:21:00.932 debug 3: validating @0xb8514638:
badsign-a.test.dnssec-tools.org.dlv.isc.org DLV: in authvalidated
16-Dec-2014 14:21:00.932 debug 3:   validating @0xb3500b68: dlv.isc.org
NSEC: starting
16-Dec-2014 14:21:00.933 debug 3:   validating @0xb3500b68: dlv.isc.org
NSEC: attempting positive response validation
16-Dec-2014 14:21:00.934 debug 3: validating @0xb8514638:
badsign-a.test.dnssec-tools.org.dlv.isc.org DLV: resuming nsecvalidate
16-Dec-2014 14:21:00.934 debug 3:   validating @0xb3500b68: dlv.isc.org
NSEC: keyset with trust 8
16-Dec-2014 14:21:00.935 debug 3:   validating @0xb84f6548:
dns-oarc.org.dlv.isc.org NSEC: starting
16-Dec-2014 14:21:00.936 debug 3:   validating @0xb84f6548:
dns-oarc.org.dlv.isc.org NSEC: attempting positive response validation
16-Dec-2014 14:21:00.937 debug 3:   validating @0xb3500b68: dlv.isc.org
NSEC: verify rdataset (keyid=64263): success
16-Dec-2014 14:21:00.937 debug 3:   validating @0xb84f6548:
dns-oarc.org.dlv.isc.org NSEC: keyset with trust 8
16-Dec-2014 14:21:00.938 debug 3:   validating @0xb3500b68: dlv.isc.org
NSEC: marking as secure, noqname proof not needed
16-Dec-2014 14:21:00.939 debug 3:   validator @0xb3500b68:
dns_validator_destroy
16-Dec-2014 14:21:00.939 debug 3:   validating @0xb84f6548:
dns-oarc.org.dlv.isc.org NSEC: verify rdataset (keyid=64263): success
16-Dec-2014 14:21:00.940 debug 3: validating @0xb8275208: dlv.isc.org DLV:
in authvalidated
16-Dec-2014 14:21:00.941 debug 3:   validating @0xb84f6548:
dns-oarc.org.dlv.isc.org NSEC: marking as secure, noqname proof not needed
16-Dec-2014 14:21:00.942 debug 3: validating @0xb8275208: dlv.isc.org DLV:
looking for relevant nsec
16-Dec-2014 14:21:00.942 debug 3:   validator @0xb84f6548:
dns_validator_destroy
16-Dec-2014 14:21:00.943 debug 3: validating @0xb8275208: dlv.isc.org DLV:
nsec proves name exists (owner) data=0
16-Dec-2014 14:21:00.944 debug 3: validating @0xb8514638:
badsign-a.test.dnssec-tools.org.dlv.isc.org DLV: in authvalidated
16-Dec-2014 14:21:00.944 debug 3: validating @0xb8275208: dlv.isc.org DLV:
resuming nsecvalidate
16-Dec-2014 14:21:00.945 debug 3: validating @0xb8514638:
badsign-a.test.dnssec-tools.org.dlv.isc.org DLV: looking for relevant nsec
16-Dec-2014 14:21:00.946 debug 3: validating @0xb8275208: dlv.isc.org DLV:
nonexistence proof(s) found
16-Dec-2014 14:21:00.946 debug 3: validating @0xb8514638:
badsign-a.test.dnssec-tools.org.dlv.isc.org DLV: nsec range ok
16-Dec-2014 14:21:00.947 debug 3: validator @0xb8275208:
dns_validator_destroy
16-Dec-2014 14:21:00.948 debug 3: validating @0xb8514638:
badsign-a.test.dnssec-tools.org.dlv.isc.org DLV: resuming nsecvalidate
16-Dec-2014 14:21:00.949 debug 3:   validating @0xb8275208:
nukuhou.school.nz.dlv.isc.org NSEC: starting
16-Dec-2014 14:21:00.949 debug 3:   validating @0xb8275208:
nukuhou.school.nz.dlv.isc.org NSEC: attempting positive response validation
16-Dec-2014 14:21:00.950 debug 3:   validating @0xb8275208:
nukuhou.school.nz.dlv.isc.org NSEC: keyset with trust 8
16-Dec-2014 14:21:00.951 debug 3: validating @0xb82743d0: . NS: in
dlvfetched: ncache nxrrset
16-Dec-2014 14:21:00.952 debug 3: validating @0xb82743d0: . NS: DLV not
found
16-Dec-2014 14:21:00.952 debug 3: validating @0xb82743d0: . NS: marking as
answer (dlvfetched (3))
16-Dec-2014 14:21:00.953 debug 3:   validating @0xb8275208:
nukuhou.school.nz.dlv.isc.org NSEC: verify rdataset (keyid=64263): success
16-Dec-2014 14:21:00.954 debug 3: validator @0xb82743d0:
dns_validator_destroy
16-Dec-2014 14:21:00.954 debug 3:   validating @0xb8275208:
nukuhou.school.nz.dlv.isc.org NSEC: marking as secure, noqname proof not
needed
16-Dec-2014 14:21:00.955 debug 3:   validator @0xb8275208:
dns_validator_destroy
16-Dec-2014 14:21:00.956 debug 3: validating @0xb8514638:
badsign-a.test.dnssec-tools.org.dlv.isc.org DLV: in authvalidated
16-Dec-2014 14:21:00.957 debug 3: validating @0xb8514638:
badsign-a.test.dnssec-tools.org.dlv.isc.org DLV: resuming nsecvalidate
16-Dec-2014 14:21:00.957 debug 3: validating @0xb8514638:
badsign-a.test.dnssec-tools.org.dlv.isc.org DLV: in checkwildcard: *.
org.dlv.isc.org
16-Dec-2014 14:21:00.958 debug 3: validating @0xb8514638:
badsign-a.test.dnssec-tools.org.dlv.isc.org DLV: looking for relevant nsec
16-Dec-2014 14:21:00.959 debug 3: validating @0xb8514638:
badsign-a.test.dnssec-tools.org.dlv.isc.org DLV: NSEC does not cover name,
before NSEC
16-Dec-2014 14:21:00.959 debug 3: validating @0xb8514638:
badsign-a.test.dnssec-tools.org.dlv.isc.org DLV: looking for relevant nsec
16-Dec-2014 14:21:00.960 debug 3: validating @0xb8514638:
badsign-a.test.dnssec-tools.org.dlv.isc.org DLV: nsec range ok
16-Dec-2014 14:21:00.961 debug 3: validating @0xb8514638:
badsign-a.test.dnssec-tools.org.dlv.isc.org DLV: nonexistence proof(s) found
16-Dec-2014 14:21:00.961 debug 3: validator @0xb8514638:
dns_validator_destroy
16-Dec-2014 14:21:00.962 debug 3: validating @0xb82bbd28:
badsign-a.test.dnssec-tools.org A: in dlvfetched: ncache nxdomain
16-Dec-2014 14:21:00.963 debug 3: validating @0xb82bbd28:
badsign-a.test.dnssec-tools.org A: looking for DLV
test.dnssec-tools.org.dlv.isc.org
16-Dec-2014 14:21:00.964 debug 3: validating @0xb82bbd28:
badsign-a.test.dnssec-tools.org A: DNS_R_COVERINGNSEC
16-Dec-2014 14:21:00.965 debug 3: validating @0xb82bbd28:
badsign-a.test.dnssec-tools.org A: covering nsec found: '
test.dnssec-tools.org.dlv.isc.org' 'dns-oarc.org.dlv.isc.org' '
edoig.org.dlv.isc.org'
16-Dec-2014 14:21:00.965 debug 3: validating @0xb82bbd28:
badsign-a.test.dnssec-tools.org A: looking for DLV
dnssec-tools.org.dlv.isc.org
16-Dec-2014 14:21:00.966 debug 3: validating @0xb82bbd28:
badsign-a.test.dnssec-tools.org A: DNS_R_COVERINGNSEC
16-Dec-2014 14:21:00.967 debug 3: validating @0xb82bbd28:
badsign-a.test.dnssec-tools.org A: covering nsec found: '
dnssec-tools.org.dlv.isc.org' 'dns-oarc.org.dlv.isc.org' '
edoig.org.dlv.isc.org'
16-Dec-2014 14:21:00.968 debug 3: validating @0xb82bbd28:
badsign-a.test.dnssec-tools.org A: looking for DLV org.dlv.isc.org
16-Dec-2014 14:21:00.969 debug 3: validating @0xb82bbd28:
badsign-a.test.dnssec-tools.org A: DLV lookup: wait
16-Dec-2014 14:21:01.062 debug 3: validating @0xb3505490: org.dlv.isc.org
DLV: starting
16-Dec-2014 14:21:01.063 debug 3: validating @0xb3505490: org.dlv.isc.org
DLV: attempting negative response validation
16-Dec-2014 14:21:01.063 debug 3:   validating @0xb3506088: dlv.isc.org
SOA: starting
16-Dec-2014 14:21:01.064 debug 3:   validating @0xb3506088: dlv.isc.org
SOA: attempting positive response validation
16-Dec-2014 14:21:01.065 debug 3:   validating @0xb3506088: dlv.isc.org
SOA: keyset with trust 8
16-Dec-2014 14:21:01.067 debug 3:   validating @0xb3506088: dlv.isc.org
SOA: verify rdataset (keyid=64263): success
16-Dec-2014 14:21:01.067 debug 3:   validating @0xb3506088: dlv.isc.org
SOA: marking as secure, noqname proof not needed
16-Dec-2014 14:21:01.068 debug 3:   validator @0xb3506088:
dns_validator_destroy
16-Dec-2014 14:21:01.069 debug 3: validating @0xb3505490: org.dlv.isc.org
DLV: in authvalidated
16-Dec-2014 14:21:01.069 debug 3: validating @0xb3505490: org.dlv.isc.org
DLV: resuming nsecvalidate
16-Dec-2014 14:21:01.070 debug 3:   validating @0xb35045f0:
nukuhou.school.nz.dlv.isc.org NSEC: starting
16-Dec-2014 14:21:01.071 debug 3:   validating @0xb35045f0:
nukuhou.school.nz.dlv.isc.org NSEC: attempting positive response validation
16-Dec-2014 14:21:01.072 debug 3:   validating @0xb35045f0:
nukuhou.school.nz.dlv.isc.org NSEC: keyset with trust 8
16-Dec-2014 14:21:01.074 debug 3:   validating @0xb35045f0:
nukuhou.school.nz.dlv.isc.org NSEC: verify rdataset (keyid=64263): success
16-Dec-2014 14:21:01.074 debug 3:   validating @0xb35045f0:
nukuhou.school.nz.dlv.isc.org NSEC: marking as secure, noqname proof not
needed
16-Dec-2014 14:21:01.075 debug 3:   validator @0xb35045f0:
dns_validator_destroy
16-Dec-2014 14:21:01.076 debug 3: validating @0xb3505490: org.dlv.isc.org
DLV: in authvalidated
16-Dec-2014 14:21:01.077 debug 3: validating @0xb3505490: org.dlv.isc.org
DLV: looking for relevant nsec
16-Dec-2014 14:21:01.077 debug 3: validating @0xb3505490: org.dlv.isc.org
DLV: nsec proves name exist (empty)
16-Dec-2014 14:21:01.078 debug 3: validating @0xb3505490: org.dlv.isc.org
DLV: resuming nsecvalidate
16-Dec-2014 14:21:01.079 debug 3: validating @0xb3505490: org.dlv.isc.org
DLV: nonexistence proof(s) found
16-Dec-2014 14:21:01.079 debug 3: validator @0xb3505490:
dns_validator_destroy
16-Dec-2014 14:21:01.080 debug 3: validating @0xb82bbd28:
badsign-a.test.dnssec-tools.org A: in dlvfetched: ncache nxrrset
16-Dec-2014 14:21:01.081 debug 3: validating @0xb82bbd28:
badsign-a.test.dnssec-tools.org A: looking for DLV dlv.isc.org
16-Dec-2014 14:21:01.082 debug 3: validating @0xb82bbd28:
badsign-a.test.dnssec-tools.org A: DLV not found
16-Dec-2014 14:21:01.082 debug 3: validating @0xb82bbd28:
badsign-a.test.dnssec-tools.org A: marking as answer (dlvfetched (3))
16-Dec-2014 14:21:01.083 debug 3: validator @0xb82bbd28:
dns_validator_destroy


I'm not spotting anything significant in there.
I've disabled dnssec-lookaside auto and there are some
differences in the trace, but the general behaviour
is the same.  whitehouse.gov doesn't show ad flag
and badsign-a.test.dnssec-tools.org is returning an IP.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20141216/796d89a5/attachment-0001.html>


More information about the nSLUG mailing list