Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.

Toke Høiland-Jørgensen Sun, 09 Feb 2014 04:10:05 -0800

OK, so I've tried building dnsmasq on cerowrt, from git head. It seems
to have some trouble validating stuff:


Sun Feb  9 13:04:24 2014 daemon.info dnsmasq[6456]: forwarded mail2.tohojo.dk 
to 213.80.98.2
Sun Feb  9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DNSKEY] 
tohojo.dk to 213.80.98.2
Sun Feb  9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DS] tohojo.dk 
to 213.80.98.2
Sun Feb  9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DNSKEY] dk to 
213.80.98.2
Sun Feb  9 13:04:24 2014 daemon.info dnsmasq[6456]: dnssec-query[DS] dk to 
213.80.98.2
Sun Feb  9 13:04:24 2014 daemon.info dnsmasq[6456]: reply dk is BOGUS DS
Sun Feb  9 13:04:24 2014 daemon.info dnsmasq[6456]: validation result is BOGUS

This is with dnssec-debug turned on.

I'm not entirely sure how to go about debugging this, but FWIW this
works:

$ dig +dnssec +sigchase mail2.tohojo.dk @213.80.98.2
...snip...
;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; VERIFYING DS RRset for dk. with DNSKEY:33655: success
;; OK We found DNSKEY (or more) to validate the RRset
;; Ok, find a Trusted Key in the DNSKEY RRset: 19036
;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success

;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS


Whereas going through the dnsmasq server fails:
$ dig +dnssec +sigchase mail2.tohojo.dk @10.42.8.1
...snip...
;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; VERIFYING DS RRset for tohojo.dk. with DNSKEY:61294: success
;; OK We found DNSKEY (or more) to validate the RRset
;; Now, we are going to validate this DNSKEY by the DS
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for dk. with DNSKEY:26887: success
;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, 
thus the DNSKEY validates the RRset
;; Now, we want to validate the DS :  recursive call


Launch a query to find a RRset of type DNSKEY for zone: .

;; DNSKEYset that signs the RRset to chase:
.                       0       IN      DNSKEY  256 3 8 
AwEAAYRU41/8smgAvuSojEP4jaj5Yll7WPaUKpYvnz2pnX2VIvRn4jsy 
Jns80bloenG6X9ebJVy2CFtZQLKHP8DcKmIFotdgs2HolyocY1am/+33 
4RtzusM2ojkhjn1FRGtuSE9s2TSz1ISv0yVnFyu+EP/ZkiWnDfWeVrJI SEWBEr4V
.                       0       IN      DNSKEY  257 3 8 
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF 
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX 
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD 
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz 
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS 
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
.                       0       IN      DNSKEY  256 3 8 
AwEAAb8sU6pbYMWRbkRnEuEZw9NSir707TkOcF+UL1XiK4NDJOvXRyX1 
95Am5dQ7bRnnuySZ3daf37vvjUUhuIWUAQ4stht8nJfYxVQXDYjSpGH5 
I6Hf/0CZEoNP6cNvrQ7AFmKkmv00xWExKQjbvnRPI4bqpMwtHVzn6Wyb BZ6kuqED



Launch a query to find a RRset of type RRSIG for zone: .

;; RRSIG for DNSKEY  is missing  to continue validation : FAILED



Not really sure what to make of this?

-Toke

signature.asc
Description: PGP signature

_______________________________________________
Cerowrt-devel mailing list
[email protected]
https://lists.bufferbloat.net/listinfo/cerowrt-devel

Re: [Cerowrt-devel] Fwd: [Dnsmasq-discuss] Testers wanted: DNSSEC.

Reply via email to