>Synopsis: wish: add DANE support to dig
>Category: security/certificate management
>Environment:
System : OpenBSD 5.9
Details : OpenBSD 5.9 (GENERIC) #1561: Fri Feb 26 01:22:37 MST 2016
[email protected]:/usr/src/sys/arch/i386/compile/GENERIC
Architecture: OpenBSD.i386
Machine : i386
>Description:
Support for DANE with dig would be a nice thing. It will not only
be useful for the sysadmin who wants to check his DANE setup but also
for casual users; f.i. you can download a cert, verify its sha256 via
DANE and then check that you have the right cert with programs like
filezilla. It is also possible to delete all root certs for Firefox and
then only import specially trusted certs.
>How-To-Repeat:
If DANE is successsfully enabled then the following query should work:
> dig @192.33.4.12 +trusted-key=/etc/trusted-key.key +topdown +sigchase
TLSA _443._tcp.www.elstel.org
ns name: 198.97.190.53
ns name: 192.228.79.201
ns name: 193.0.14.129
ns name: 202.12.27.33
ns name: 192.112.36.4
ns name: 199.7.83.42
ns name: 192.36.148.17
ns name: 192.33.4.12
ns name: 192.5.5.241
ns name: 198.41.0.4
ns name: 199.7.91.13
ns name: 192.58.128.30
ns name: 192.203.230.10
Launch a query to find a RRset of type TLSA for zone:
_443._tcp.www.elstel.org with nameservers:
. 518400 IN NS h.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS a.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS e.root-servers.net.
no response but there is a delegation in authority section: org.
Launch a query to find a RRset of type DNSKEY for zone: .
;; DNSKEYset:
. 172800 IN DNSKEY 256 3 8
AwEAAarQO0FTE/l6LEKFlZllJIwXuLGd3q5d8S8NH+ntOeIMN81A5wAI
18g3u9w/esNkThwgXTEa2mX1iOPdTcl3yRleAExxF22lEU2E0GKY2XdY
r/BxP5fojJAPRgtEGDl72NSwSnD2/a8uPNirAJZoab36Hlw41QxEl7bm Co0280mt
. 172800 IN DNSKEY 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
;; RRSIG of the DNSKEYset:
. 172800 IN RRSIG DNSKEY 8 0 172800
20160505235959 20160421000000 19036 .
SIEw2yBGjB72FvKkavke5w90pBlx7YuKqaEzchZBjWAE6BybMQKT2G5C
Is/R6KAjG9sPCQu5bsu/GAjP2YhCVyVtVZ7x0ngqlbwfwQCuo2Xq+aym
nszrhN0jijmb7sqd9Ww7rFigAkyOaNWGAikVgeuCNvwIhcfVrr2QruO0
z2C4P/ULUyqrnKO3Mr9vK2Z1PiBbO2PtRbFOn3xIkcy3WV+1QLS5Xox0
S3ZZZGj6ICu3v/LbrsuWejmXSvZaMfQt1leo3v4dmhYMzD14xsyx6qb5
2VYDgajsDuhvV0zCavgAoNLwchWhHccagnuufG3YIkbF8rMr1m6f1D/m 5mgXJA==
;; Ok, find a Trusted Key in the DNSKEY RRset: 19036
;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success
;; DSset:
org. 86400 IN DS 9795 7 1
364DFAB3DAF254CAB477B5675B10766DDAA24982
org. 86400 IN DS 9795 7 2
3922B31B6F3A4EA92B19EB7B52120F031FD8E05FF0B03BAFCF9F891B FE7FF8E5
;; RRSIGset of DSset
org. 86400 IN RRSIG DS 8 1 86400
20160506050000 20160426040000 60615 .
WrL9DCGavlnLqMUlvr6aJY0xVJO+IXnK4CoyjpJtYyq3KSN+Ek+q2pQ0
BC8Uv9AV4xbcMhHq49s7AZdHuWXA5nb5WFpLZREymPQuN+YrKX5/OKg/
hNROGao294VvxFr7Jx4zO62nxT8nLov6mUaprIOtn7eNu4pp76/AJOG0 ZNk=
;; VERIFYING DS RRset for org. with DNSKEY:60615: success
ns name: 199.19.56.1
ns name: 199.249.112.1
ns name: 199.19.54.1
ns name: 199.249.120.1
ns name: 199.19.53.1
ns name: 199.19.57.1
Launch a query to find a RRset of type TLSA for zone:
_443._tcp.www.elstel.org with nameservers:
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS d0.org.afilias-nst.org.
no response but there is a delegation in authority section: elstel.org.
Launch a query to find a RRset of type DNSKEY for zone: org.
;; DNSKEYset:
org. 900 IN DNSKEY 256 3 7
AwEAAYfohXZJFmgX8vFND9zSkRHcF3tUXxONCDwm7SsLqahRv9+VGi6y
jWXQY67waJiffa3sGH4poHGHfS/Oq5WCV1oaQurxqfQxbF6Mea5o0dSf
gCML3YaoR1Hb0dUQcg/0PHwXeWaYaZ2PzoARYvYi9skh+VNBLJPpHi/s L8t9vb/9
org. 900 IN DNSKEY 256 3 7
AwEAAebZOMc2aV6wi03zOgdiQhZqTbD043sXt5xRsTPn9vxukojZcsa6
cOIrfqPb3l57m7u5H3r8inU8QbsC/aAYV7EOeSGNcK/lQepKSR+rlvq+
7iMXoXVa9dL1tRpHDjNLp6QW+ly/jbfe5nzhptfbiiq3o/uSICf7SxF+ Ho+vp4MD
org. 900 IN DNSKEY 257 3 7
AwEAAZTjbIO5kIpxWUtyXc8avsKyHIIZ+LjC2Dv8naO+Tz6X2fqzDC1b
dq7HlZwtkaqTkMVVJ+8gE9FIreGJ4c8G1GdbjQgbP1OyYIG7OHTc4hv5
T2NlyWr6k6QFz98Q4zwFIGTFVvwBhmrMDYsOTtXakK6QwHovA1+83BsU
ACxlidpwB0hQacbD6x+I2RCDzYuTzj64Jv0/9XsX6AYV3ebcgn4hL1jI
R2eJYyXlrAoWxdzxcW//5yeL5RVWuhRxejmnSVnCuxkfS4AQ485KH2tp
dbWcCopLJZs6tw8q3jWcpTGzdh/v3xdYfNpQNcPImFlxAun3BtORPA2r 8ti6MNoJEHU=
org. 900 IN DNSKEY 257 3 7
AwEAAcMnWBKLuvG/LwnPVykcmpvnntwxfshHlHRhlY0F3oz8AMcuF8gw
9McCw+BoC2YxWaiTpNPuxjSNhUlBtcJmcdkz3/r7PIn0oDf14ept1Y9p
dPh8SbIBIWx50ZPfVRlj8oQXv2Y6yKiQik7bi3MT37zMRU2kw2oy3cgr
sGAzGN4s/C6SFYon5N1Q2O4hGDbeOq538kATOy0GFELjuauV9guX/431
msYu4Rgb5lLuQ3Mx5FSIxXpI/RaAn2mhM4nEZ/5IeRPKZVGydcuLBS8G
ZlxW4qbb8MgRZ8bwMg0pqWRHmhirGmJIt3UuzvN1pSFBfX7ysI9PPhSn wXCNDXk0kk0=
;; RRSIG of the DNSKEYset:
org. 900 IN RRSIG DNSKEY 7 1 900
20160516150430 20160425140430 9795 org.
kumbGrY5g1U4VDWVHdnyMYDk/H7pFvQ/zz8EGfdiOz9T8EJ9zjVYbbj3
LRVLlK/8L4ES+ULEzYdmSApAZ82fDf0WTYJAH77wzaCPM/gCyrvtZCRg
fSHV30Ufk97JV7s/23MKuXWGiy+apk/DTq21BLFlbfU8B3k20vfmL7/T
iqPOpal8nPNsRFT/0L9OkXN4QnxTtushYEKeHLhqGhZfTQtmGsuEOK47
rq/yK3eJ6Kl4IYmLyT1dUlIUhxhMuuZ5jo+m09EUCHa9DMVuCF70os7l
4jhxVZYpK09U4uOFqNY+o8lfkdL6hwk49WHVejqwckWizPyszP1T2VVv ATP4Rg==
org. 900 IN RRSIG DNSKEY 7 1 900
20160516150430 20160425140430 17883 org.
S77MeAnmWX1J6MKKrd++wQ2A6rJqH0cmwnbUu6WtQ1jayCzqRKexRsi+
rmPr9EKVVRDCW+5YCg0NPPnG/TLwXpfIZPmuh2SdnA+Yv8jICtXbdT2u
Zk/riV0K0Y6fG4bVG0fjiskkjeBqN0YoAnPqphGJeOAiXWQuf34+eAWu
Xxx3u+jLahsFu4H5A2V03weCh9HYl6sy+vXYcwuGb+YnNsPdEEDO/svF
tBioZCnqXDJqIEaMnDsSWfvujRrAjs7R5XkPG/c6f5kpTr9N3f8+nfNt
0NZZUmQpoG2nd9TvLpKq1k9hCsRI3ib1zfywG82Ug4CB5cdJQlPK6KNS ZvrFXA==
org. 900 IN RRSIG DNSKEY 7 1 900
20160516150430 20160425140430 20264 org.
VLATNVdC81R+pyrrKp5L6UvPIFHMr71//3FI7MGHiMS17Pi5xARn1tUQ
KB3skjAK+DhGTBp6dhaD9DLfQAojBYuoWmccjt0tMCmkZCFPrDQ0rDEe
zMZiKNYsg+ZYK7ZGS651CkjFTGNc91HXRWjFLl3kWe2hN0yTfHYXDJqi vHM=
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for org. with DNSKEY:9795: success
;; DSset:
elstel.org. 86400 IN DS 16410 7 2
5EAEAFA440778E79B6E6B8E2277943E2F43D3A16EFC48A7ECCD353FB 1872E50D
;; RRSIGset of DSset
elstel.org. 86400 IN RRSIG DS 7 2 86400
20160516150430 20160425140430 20264 org.
DJIb7OJOc1ukzJ/VERu09orihDTtzWP9+vT3tQ3ILzRMxU6TO6RtPteW
DcCHlz1v8YUmODQZqZ3VFF+KkJVuxjB6P8bhXCla1L2XMBemsHZUz1rU
fGkOyy0zlecZjtI4o4EDx5bzDKl1sfw04dqMiqs2YIw69KB6YcGKV7Jx bZM=
;; VERIFYING DS RRset for elstel.org. with DNSKEY:20264: success
Launch a query to find a RRset of type TLSA for zone:
_443._tcp.www.elstel.org with nameservers:
elstel.org. 86400 IN NS ns.dotplex.net.
elstel.org. 86400 IN NS ns2.dotplex.de.
Launch a query to find a RRset of type DNSKEY for zone: elstel.org.
;; DNSKEYset:
elstel.org. 14394 IN DNSKEY 256 3 7
AwEAAb8z7NQ8CUBa7qAtLmQSZWej6ecg3QPBk1956TEtmMVsjoz+gyAG
eAk5KEhNA5mNctQhK3Z+3P2AQKPBL5mVUyqZ1ti6HRg1R3xJy19u94Dt
7p7okE92nCYtbpZ/yxwy1bDEFr2oVSBu5ysM3hMMi3QdavE3KOGW7VR3
O/Do+LlcYMJspyfzjR3keG5Zd14zs5MoPIB0gxIRYwO+26TBYvgELz5B
TJgez/qHcrTcI60XyCBfykRJXmsQJRmFOytls2/9CgLuDaeWujlsEGR9
x9Cpm+q6GE3cGWhUvtqEleBFTfXJP6XpIW6huKarjMQrSg1NmaGXknxo 4AzGLd7FVy8=
elstel.org. 14394 IN DNSKEY 257 3 7
AwEAAcD4VRoU9tLLWY01iFzpKhcAYDz07OujNLUccJcQOE+GL2sJdWU8
53xYG4pdXoFEd4gcHUAFzaRVU9T2KAzxCy7J1YWQA9WYxlRSuEzIKFXp
XwHHJaYuxmUD0qzGA/udCR5ZZuFjHLFYYag2PD7ln0QETpMtX/KX4Z/R
pZ94XbAGOCiTQZDhG+RweEtIh7XPyREN2YUwx/N/2H4yEe/M23RxwSpQ
8lcgL0eNuhLNqYHVlIDBhilgc0UdNXDzgaathLA/SpQQXKK9VjiIMUj3
aDBuTv8ONv4Q8LZ9QqwwNUiKlJgA5LnBhABE85vrj3Vtc2+027G9Hc4c la6TaiEltzk=
;; RRSIG of the DNSKEYset:
elstel.org. 14394 IN RRSIG DNSKEY 7 2 14400
20160521210010 20160423210010 16410 elstel.org.
O1NtlU0X6uloTM+eOlOOUw3xNeIeYJO3Azgv7JiHzj8u/hS95NiZ9fvg
vjqjNJK29n2cavszQNEL6AzmnjiQUyzsz9KZ2bKMvXI8wv6/jTNP9Xtw
0P1NeMSJ0TTKxnxXPoD3O296UTTLfxs4ygC3eOZwKdq5gvoq9FFKvj/2
4En1C0ybr2htLNsNhWGzAH28A8jI97yKeC4969WAQRfnveoFVZhBnI3L
wiruMnY+z4eMtTrSrj96oJDr4r1nnPy3gHKO7rSEeQIqOYSLW2eqQTYP
nEgDiWlAf7kHaPNur7YOsOCdfSaZAaudhis4HSca5g4DwAKlA8ScW5XV fhm6qQ==
elstel.org. 14394 IN RRSIG DNSKEY 7 2 14400
20160521210010 20160423210010 59438 elstel.org.
GKD3C3r5uOXQx2HiQhAubqOu7T+kUfrm3tC35y0l/nrvpQcRM7jpsF/c
o0ox+xOg3p7YfXIeDm3vc8ISc8N2a1d8qvrm8yzpgdusNNEua+TsskaP
6ZsuYKIjGCiHiwj3KcF07A5k+JGT8zhj/QySaZvCjMjHnGRLgMbLCS9Y
A3KPLJ7L6BgUow7sdfsHkkvJIElmcvNN8Ay+gRFME4cQ0kDKT8o4YImb
Hla6ejS0JBozOEznvxesLakjeANaHtYZP3I2UUg16/w6wKF5V2/jdiTK
6PF+M031MtAsXd2anOB5Jv5U0F6il3807bavt2tZq7+3UGRllSJxSino cD8wbA==
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for elstel.org. with DNSKEY:16410: success
;; VERIFYING TLSA RRset for _443._tcp.www.elstel.org. with DNSKEY:59438:
success
;; The Answer:
_443._tcp.www.elstel.org. 21600 IN TLSA 3 0 1
14F1B9A942A254F2302E303667E59829FFE4D59A23CA4CBC9653A5DD 1987C8A5
;; FINISH : we have validate the DNSSEC chain of trust: SUCCESS
;; cleanandgo
>Fix:
* provide /etc/trusted-key.key by 'dig @194.150.168.168' . DNSKEY |
egrep -v "^($|;)" >/etc/trusted-key.key
compare that you have the right one (f.i. with another distro)
* compile dig with DANE support
SENDBUG: dmesg, pcidump, acpidump and usbdevs are attached.
SENDBUG: Feel free to delete or use the -D flag if they contain
sensitive information.
dmesg:
OpenBSD 5.9 (GENERIC) #1561: Fri Feb 26 01:22:37 MST 2016
[email protected]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 2.80GHz ("GenuineIntel" 686-class) 2.80 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,CNXT-ID,xTPR,PERF
real mem = 2146910208 (2047MB)
avail mem = 2093256704 (1996MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 10/15/03, BIOS32 rev. 0 @ 0xfdae0, SMBIOS rev.
2.3 @ 0xf0670 (26 entries)
bios0: vendor American Megatrends Inc. version "07.00T" date 04/02/01
bios0: Gericom L372N1
acpi0 at bios0: rev 0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP
acpi0: wakeup devices PS2M(S4) PS2K(S4) EC0_(S4) USB1(S3) USB2(S3)
LAN_(S4) MDM_(S4) AUD_(S4) CBC0(S4) SLPB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiprt0 at acpi0: bus 0 (PCI0)
unknown interrupt: 6
unknown interrupt: 7
unknown interrupt: 6
unknown interrupt: 7
unknown interrupt: 6
unknown interrupt: 7
unknown interrupt: 6
unknown interrupt: 7
unknown interrupt: 6
unknown interrupt: 7
unknown interrupt: 6
unknown interrupt: 7
unknown interrupt: 6
unknown interrupt: 7
acpiec0 at acpi0
acpicpu0 at acpi0: !C2(@50 io@0x814), C1(@1 halt!)
acpipwrres0 at acpi0: FDDP
acpitz0 at acpi0: critical temperature is 85 degC
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: SLPB
bios0: ROM list: 0xc0000/0xfc00 0xd0400/0xa000
cpu0 at mainbus0: (uniprocessor)
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "SiS 646 PCI" rev 0x00
sisagp0 at pchb0
agp0 at sisagp0: aperture at 0xdc000000, size 0x4000000
ppb0 at pci0 dev 1 function 0 "SiS 86C201 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "NVIDIA GeForce4 440 Go 64M" rev 0xa3
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 2 function 0 "SiS 85C503 System" rev 0x00
ohci0 at pci0 dev 2 function 2 "SiS 5597/5598 USB" rev 0x07: irq 10,
version 1.0, legacy support
ohci1 at pci0 dev 2 function 3 "SiS 5597/5598 USB" rev 0x07: irq 10,
version 1.0, legacy support
pciide0 at pci0 dev 2 function 5 "SiS 5513 EIDE" rev 0xd0: 645DX: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <SAMSUNG SV1604N>
wd0: 16-sector PIO, LBA48, 152627MB, 312581808 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: <MATSHITA, BD-RE UJ-225S, Q310> ATAPI
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
"SiS 7013 Modem" rev 0xa0 at pci0 dev 2 function 6 not configured
auich0 at pci0 dev 2 function 7 "SiS 7012 AC97" rev 0xa0: irq 10,
SiS7012 AC97
ac97: codec id 0x414c4710 (Avance Logic ALC200)
ac97: codec features headphone, 18 bit DAC, 18 bit ADC, Realtek 3D
audio0 at auich0
sis0 at pci0 dev 3 function 0 "SiS 900 10/100BaseTX" rev 0x90: irq 10,
address 00:a0:cc:d9:b3:da
rlphy0 at sis0 phy 1: RTL8201L 10/100 PHY, rev. 1
cbb0 at pci0 dev 8 function 0 "O2 Micro OZ69[17]2 CardBus" rev 0x00: irq 5
"VIA VT6306 FireWire" rev 0x46 at pci0 dev 9 function 0 not configured
"Conexant CX2388x" rev 0x03 at pci0 dev 11 function 0 not configured
isa0 at pcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb0 at ohci0: USB revision 1.0
uhub0 at usb0 "SiS OHCI root hub" rev 1.00/1.00 addr 1
usb1 at ohci1: USB revision 1.0
uhub1 at usb1 "SiS OHCI root hub" rev 1.00/1.00 addr 1
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 2 device 0 cacheline 0x0, lattimer 0x20
pcmcia0 at cardslot0
uhub2 at uhub0 port 1 "Genesys Logic USB2.0 Hub" rev 2.00/85.36 addr 2
uhidev0 at uhub2 port 1 configuration 1 interface 0 " USB Keyboard" rev
1.10/3.10 addr 3
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 variable keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub2 port 1 configuration 1 interface 1 " USB Keyboard" rev
1.10/3.10 addr 3
uhidev1: iclass 3/0, 2 report ids
uhid0 at uhidev1 reportid 1: input=1, output=0, feature=0
uhid1 at uhidev1 reportid 2: input=3, output=0, feature=0
uhub2: device problem, disabling port 2
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on wd0a (a370517ca39a8fdb.a) swap on wd0b dump on wd0b
