Yea! I am under the impression that still missing functionality is nsec3? Is the local-to-dnsmasq domain signable?
On Mon, Feb 10, 2014 at 8:59 AM, Toke Høiland-Jørgensen <[email protected]> wrote: > Simon Kelley <[email protected]> writes: > >> OK. Fix (I think), in git now. Please could you test? (A byte-order problem, >> inevitably). > > Yay, seems to work: > > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: query[A] files.toke.dk > from 10.42.0.7 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk > to 213.80.98.3 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk > to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DNSKEY] > toke.dk to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DS] toke.dk > to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DNSKEY] dk > to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DS] dk to > 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DS keytag > 26887 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY > keytag 26887 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY > keytag 7665 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY > keytag 61294 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply dk is DNSKEY > keytag 31369 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply toke.dk is DS > keytag 65122 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply toke.dk is DNSKEY > keytag 65122 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply toke.dk is DNSKEY > keytag 22551 > Mon Feb 10 17:55:47 2014 daemon.err dnsmasq[11296]: Unexpected missing data > for DNSSEC validation > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: validation result is > INSECURE > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply files.toke.dk is > <CNAME> > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply web2.tohojo.dk is > 144.76.141.113 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: query[AAAA] > files.toke.dk from 10.42.0.7 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: cached files.toke.dk is > <CNAME> > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk > to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DNSKEY] > tohojo.dk to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: dnssec-query[DS] > tohojo.dk to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply tohojo.dk is DS > keytag 49471 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply tohojo.dk is > DNSKEY keytag 49471 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply tohojo.dk is > DNSKEY keytag 30141 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: validation result is > SECURE > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply files.toke.dk is > <CNAME> > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: reply web2.tohojo.dk is > 2a01:4f8:200:3141::102 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: query[MX] files.toke.dk > from 10.42.0.7 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: forwarded files.toke.dk > to 213.80.98.2 > Mon Feb 10 17:55:47 2014 daemon.info dnsmasq[11296]: validation result is > SECURE > > > Dunno why it starts out insecure (?), but seems to get to the right > place. > > Can also do sigchase: > > $ dig +sigchase files.toke.dk @10.42.0.8 > ...snip... > > > Launch a query to find a RRset of type DS for zone: . > ;; NO ANSWERS: no more > > ;; WARNING There is no DS for the zone: . > > > > ;; WE HAVE MATERIAL, WE NOW DO VALIDATION > ;; VERIFYING DS RRset for dk. with DNSKEY:33655: success > ;; OK We found DNSKEY (or more) to validate the RRset > ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036 > ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success > > ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS > > > > But not +trace: > > $ dig +trace +sigchase files.toke.dk @10.42.0.8 > > ; <<>> DiG 9.9.2-P2 <<>> +trace +sigchase files.toke.dk @10.42.0.8 > ;; global options: +cmd > . 86891 IN NS d.root-servers.net. > . 86891 IN NS l.root-servers.net. > . 86891 IN NS h.root-servers.net. > . 86891 IN NS j.root-servers.net. > . 86891 IN NS b.root-servers.net. > . 86891 IN NS m.root-servers.net. > . 86891 IN NS k.root-servers.net. > . 86891 IN NS f.root-servers.net. > . 86891 IN NS e.root-servers.net. > . 86891 IN NS g.root-servers.net. > . 86891 IN NS a.root-servers.net. > . 86891 IN NS c.root-servers.net. > . 86891 IN NS i.root-servers.net. > . 325955 IN RRSIG NS 8 0 518400 20140215000000 > 20140207230000 33655 . > cZOSrkiewfX+HdA2covOiYL+Z8xgBoCpJm4VZq083M51CvIFBipG1/BO > JYYiRzmpQJN/l6FI5RBKmDVFq/RqkVineoIYrsIZL9RRcAF+phPO+kHU > YU3ckdHZroDZCu1QUPd+Kr6Y8+9GBH8wYM++0Z6tLRA+iZXbNOadfZ9o euU= > dk. 172800 IN NS l.nic.dk. > dk. 172800 IN NS p.nic.dk. > dk. 172800 IN NS s.nic.dk. > dk. 172800 IN NS b.nic.dk. > dk. 172800 IN NS c.nic.dk. > dk. 172800 IN NS a.nic.dk. > dk. 86400 IN DS 26887 8 2 > A1AB8546B80E438A7DFE0EC559A7088EC5AED3C4E0D26B1B60ED3735 F853DFD7 > dk. 86400 IN RRSIG DS 8 1 86400 20140217000000 > 20140209230000 33655 . > aK1OgJzktVeo2i83KdOig62wyqkxcQmbbQePi4T7zI4OhPzI5LMz9kbS > W/V7bOgNBfYBjDJg4JEYIAC0esCrGPtbAsKQ7YrKiZikNAhlD/BgTvtD > JQJxc+7f4xUa6Y7/9DBKmG8Du+DftF99RngT/hCgr9hZme9YkvtGaEyo CZI= > toke.dk. 86400 IN NS ns2.gratisdns.dk. > toke.dk. 86400 IN NS ns1.gratisdns.dk. > toke.dk. 86400 IN NS ns4.gratisdns.dk. > toke.dk. 86400 IN NS ns5.gratisdns.dk. > toke.dk. 86400 IN NS ns3.gratisdns.dk. > toke.dk. 86400 IN DS 65122 5 1 > A6FEBBA66365D55C97F8671688AD52883AB582A6 > toke.dk. 86400 IN RRSIG DS 8 2 86400 20140308183226 > 20140208200232 61294 dk. > thrq3zR+toPNxDln/H/qWBJbjkNK8/NosI6oriQBPXzzcd6HzOdg7l67 > kbmje94nwOysKIMCz/YiNjmnEfa7X0NorTZ+e3HOyTRG+NpyQoywgxvj > TAFDGuu8hsussW+ohheb0efhX4/0YSamSsSBeAImPYWTdUQY10U0sXDq BCE= > files.toke.dk. 43200 IN CNAME web2.tohojo.dk. > files.toke.dk. 43200 IN RRSIG CNAME 5 3 43200 > 20140311112400 20140209112400 22551 toke.dk. > ObiMhHqVUSxsje4979EzuiDoCt7z1r1Gl946gmY9ZDe7Es+7jg1l7m8/ > vyVhPDRxqNxEAsTmFXF6mkwKkK60ag== > ;; RRset to chase: > files.toke.dk. 43200 IN CNAME web2.tohojo.dk. > > > ;; RRSIG of the RRset to chase: > files.toke.dk. 43200 IN RRSIG CNAME 5 3 43200 > 20140311112400 20140209112400 22551 toke.dk. > ObiMhHqVUSxsje4979EzuiDoCt7z1r1Gl946gmY9ZDe7Es+7jg1l7m8/ > vyVhPDRxqNxEAsTmFXF6mkwKkK60ag== > > > > Launch a query to find a RRset of type DNSKEY for zone: toke.dk. > toke.dk. 43200 IN DNSKEY 256 3 5 > AwEAAaYKHaUARHUtPhVTEC6vTc0SR142BVj1P/wtgCjacCkGDN5wB6Cm > Y0xEwUl+NuT9btz0xQmDGOMJEKunK+HpOh0= > toke.dk. 43200 IN DNSKEY 257 3 5 > AwEAAdV59e0KX1JymujkIbzikKCEVSExW3ixJ81hiboCHSvZv+LlMxlG > sWT6uJrcEOENF+fZnDcl3u0WRgd3ctv9d40= > toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 > 20140311112400 20140209112400 22551 toke.dk. > CzZARTabg0VR00Ksv0Uz+qRqRvl06fTTZHa0k17Ccg7JdrvsnZ5DgJKy > dhM7j3Rb4LHfZbcoTXXABICCvSQnoQ== > toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 > 20140311112400 20140209112400 65122 toke.dk. > Q9OqTdh4s3aGn9ExkTnYwPk8j+V9cTjEjLGXD8zY5l0HewORrqJT5Ebn > R0YvK/xH/2XLnueAZ/q8khlSfjhFzA== > > ;; DNSKEYset that signs the RRset to chase: > toke.dk. 43200 IN DNSKEY 256 3 5 > AwEAAaYKHaUARHUtPhVTEC6vTc0SR142BVj1P/wtgCjacCkGDN5wB6Cm > Y0xEwUl+NuT9btz0xQmDGOMJEKunK+HpOh0= > toke.dk. 43200 IN DNSKEY 257 3 5 > AwEAAdV59e0KX1JymujkIbzikKCEVSExW3ixJ81hiboCHSvZv+LlMxlG > sWT6uJrcEOENF+fZnDcl3u0WRgd3ctv9d40= > > > ;; RRSIG of the DNSKEYset that signs the RRset to chase: > toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 > 20140311112400 20140209112400 22551 toke.dk. > CzZARTabg0VR00Ksv0Uz+qRqRvl06fTTZHa0k17Ccg7JdrvsnZ5DgJKy > dhM7j3Rb4LHfZbcoTXXABICCvSQnoQ== > toke.dk. 43200 IN RRSIG DNSKEY 5 2 43200 > 20140311112400 20140209112400 65122 toke.dk. > Q9OqTdh4s3aGn9ExkTnYwPk8j+V9cTjEjLGXD8zY5l0HewORrqJT5Ebn > R0YvK/xH/2XLnueAZ/q8khlSfjhFzA== > > > ;; DSset of the DNSKEYset > toke.dk. 86400 IN DS 65122 5 1 > A6FEBBA66365D55C97F8671688AD52883AB582A6 > > > ;; RRSIG of the DSset of the DNSKEYset > toke.dk. 86400 IN RRSIG DS 8 2 86400 20140308183226 > 20140208200232 61294 dk. > thrq3zR+toPNxDln/H/qWBJbjkNK8/NosI6oriQBPXzzcd6HzOdg7l67 > kbmje94nwOysKIMCz/YiNjmnEfa7X0NorTZ+e3HOyTRG+NpyQoywgxvj > TAFDGuu8hsussW+ohheb0efhX4/0YSamSsSBeAImPYWTdUQY10U0sXDq BCE= > > > > > ;; WE HAVE MATERIAL, WE NOW DO VALIDATION > ;; VERIFYING CNAME RRset for files.toke.dk. with DNSKEY:22551: success > ;; OK We found DNSKEY (or more) to validate the RRset > ;; Now, we are going to validate this DNSKEY by the DS > ;; OK a DS valids a DNSKEY in the RRset > ;; Now verify that this DNSKEY validates the DNSKEY RRset > ;; VERIFYING DNSKEY RRset for toke.dk. with DNSKEY:65122: success > ;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, > thus the DNSKEY validates the RRset > ;; Now, we want to validate the DS : recursive call > > > Launch a query to find a RRset of type DNSKEY for zone: dk. > ;; NO ANSWERS: no more > > ;; DNSKEY is missing to continue validation: FAILED > > > -Toke > > _______________________________________________ > Cerowrt-devel mailing list > [email protected] > https://lists.bufferbloat.net/listinfo/cerowrt-devel > -- Dave Täht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html _______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
