severity 607794 serious thanks So, I managed to reproduce the problem which has come up a few times now. Note that 9.7.2.dfsg.P3 is not affected, only 9.6.ESV.R3 in stable.
With bind9 set up and configured to use the DLV:
| [debian-i386-lenny] kate:/# dig +dnssec @localhost -t ns debian.org
|
| ; <<>> DiG 9.6-ESV-R3 <<>> +dnssec @localhost -t ns debian.org
| ; (2 servers found)
| ;; global options: +cmd
| ;; Got answer:
| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1320
| ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 7
|
| ;; OPT PSEUDOSECTION:
| ; EDNS: version: 0, flags: do; udp: 4096
| ;; QUESTION SECTION:
| ;debian.org. IN NS
|
| ;; ANSWER SECTION:
| debian.org. 28800 IN NS ns2.debian.org.
| debian.org. 28800 IN NS ns1.debian.org.
| debian.org. 28800 IN NS ns4.debian.com.
| debian.org. 28800 IN RRSIG NS 7 2 28800 20110214203553
20110117203553 42257 debian.org.
PA74e7H68hDACO/Y+ik7Nz4yirKWV6PRL/W1S53fLDFGsxilEIdPh3vo
VNpJTS+BB847a3GmWNtvkPMRlnozp9tkwfeUkzSwp0YqyWKH5nfDK57Y
f1C9MGuAgwppSOc3kL6rl9CmuELVY/FKDubDhFYjr+8hfDMPaF7mZDgX
wJ3mSes+qQjkwGyurBnCwiUC
|
| ;; ADDITIONAL SECTION:
| ns1.debian.org. 28800 IN A 206.12.19.5
| ns1.debian.org. 28800 IN AAAA
2607:f8f0:610:4000:214:38ff:feee:b65a
| ns2.debian.org. 28800 IN A 128.31.0.51
| ns1.debian.org. 28800 IN RRSIG A 7 3 28800 20110214203553
20110117203553 42257 debian.org.
FWNBZH4B2f81g7ixQ2pgqt/R468voPM9VnIqAhhQRlzhaAoKJIY5VyVk
WwsM58oj1NHlhIz9tqjlCz31UZ0vg3CW3vHE0LmpfJDlNgzsFFZQUui1
xkrPbzliXx0V+kWURUtHj4xHFtoULd53tDjRS2RDMOnARnv3k9dv5tXS
NunZCadISAiHIkS15lSZaFhm
| ns1.debian.org. 28800 IN RRSIG AAAA 7 3 28800 20110214203553
20110117203553 42257 debian.org.
QbU3pfWFRSfOTLuKxARBKltkNq2eyg/hA8pbUlZjNk8yibh12E4ezr8+
/ZQ5KCQDZ/XC4hLDM8c+gqo5Q50m9Qd+J7sSBZJcl2La1B75gD9lMkCi
RxcaHBPSlo8Yzmj2jZEFJ65gpsDUb1K0IHEZhTY4KRSkBTuOk/LsuUcD
VZJlAQud4ZEcu02MubaCo6FO
| ns2.debian.org. 28800 IN RRSIG A 7 3 28800 20110214203553
20110117203553 42257 debian.org.
HfiZwIBsmXZYsIpkv/nsCBqoz3B8OWZK7rMp4Eloj+KW3W9hMGOdgyJd
43OAUGpmypbJn9esbnjyXMVbP974nrElT2ZqnLMCoekZ3CnNom+bsq/2
MFGj/zE9SAVVzaGGKeQnIwOctZhTmVUNPKV8w2Ox5ohPxl5wiazV7IR0
XhYIXHJkvmDWM89alvQ6z26O
|
| ;; Query time: 719 msec
| ;; SERVER: 127.0.0.1#53(127.0.0.1)
| ;; WHEN: Wed Jan 19 09:55:34 2011
| ;; MSG SIZE rcvd: 907
| [debian-i386-lenny] kate:/# dig +dnssec @localhost -t ns www.debian.org
|
| ; <<>> DiG 9.6-ESV-R3 <<>> +dnssec @localhost -t ns www.debian.org
| ; (2 servers found)
| ;; global options: +cmd
| ;; Got answer:
| ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58482
| ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
|
| ;; OPT PSEUDOSECTION:
| ; EDNS: version: 0, flags: do; udp: 4096
| ;; QUESTION SECTION:
| ;www.debian.org. IN NS
|
| ;; Query time: 1243 msec
| ;; SERVER: 127.0.0.1#53(127.0.0.1)
| ;; WHEN: Wed Jan 19 09:55:39 2011
| ;; MSG SIZE rcvd: 43
Attached is a script that allows you to reproduce this easily, if you have a
lenny chroot. Also attached is the dnssec log.
--
| .''`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/
bind-dlv-failure.sh
Description: Bourne shell script
19-Jan-2011 09:50:14.516 dnssec: debug 3: validating @0xf7a63bc8: . NS: starting 19-Jan-2011 09:50:14.516 dnssec: debug 3: validating @0xf7a63bc8: . NS: looking for DLV 19-Jan-2011 09:50:14.516 dnssec: debug 3: validating @0xf7a63bc8: . NS: plain DNSSEC returns unsecure (.): looking for DLV 19-Jan-2011 09:50:14.516 dnssec: debug 3: validating @0xf7a63bc8: . NS: looking for DLV dlv.isc.org 19-Jan-2011 09:50:14.516 dnssec: debug 3: validating @0xf7a63bc8: . NS: DLV lookup: wait 19-Jan-2011 09:50:14.803 dnssec: debug 3: validating @0xf7aaadd0: debian.org NS: starting 19-Jan-2011 09:50:14.803 dnssec: debug 3: validating @0xf7aaadd0: debian.org NS: looking for DLV 19-Jan-2011 09:50:14.803 dnssec: debug 3: validating @0xf7aaadd0: debian.org NS: plain DNSSEC returns unsecure (.): looking for DLV 19-Jan-2011 09:50:14.803 dnssec: debug 3: validating @0xf7aaadd0: debian.org NS: looking for DLV debian.org.dlv.isc.org 19-Jan-2011 09:50:14.804 dnssec: debug 3: validating @0xf7aaadd0: debian.org NS: DLV lookup: wait 19-Jan-2011 09:50:15.114 dnssec: debug 3: validating @0xf7d5c898: dlv.isc.org DLV: starting 19-Jan-2011 09:50:15.114 dnssec: debug 3: validating @0xf7d5c898: dlv.isc.org DLV: attempting negative response validation 19-Jan-2011 09:50:15.114 dnssec: debug 3: validating @0xf7d658e0: dlv.isc.org SOA: starting 19-Jan-2011 09:50:15.114 dnssec: debug 3: validating @0xf7d658e0: dlv.isc.org SOA: attempting positive response validation 19-Jan-2011 09:50:15.238 dnssec: debug 3: validating @0xf7d648d8: debian.org.dlv.isc.org DLV: starting 19-Jan-2011 09:50:15.238 dnssec: debug 3: validating @0xf7d648d8: debian.org.dlv.isc.org DLV: attempting positive response validation 19-Jan-2011 09:50:15.294 dnssec: debug 3: validating @0xf7d4e828: dlv.isc.org DNSKEY: starting 19-Jan-2011 09:50:15.294 dnssec: debug 3: validating @0xf7d4e828: dlv.isc.org DNSKEY: attempting positive response validation 19-Jan-2011 09:50:15.296 dnssec: debug 3: validating @0xf7d4e828: dlv.isc.org DNSKEY: verify rdataset (keyid=19297): success 19-Jan-2011 09:50:15.296 dnssec: debug 3: validating @0xf7d4e828: dlv.isc.org DNSKEY: signed by trusted key; marking as secure 19-Jan-2011 09:50:15.296 dnssec: debug 3: validator @0xf7d4e828: dns_validator_destroy 19-Jan-2011 09:50:15.296 dnssec: debug 3: validating @0xf7d658e0: dlv.isc.org SOA: in fetch_callback_validator 19-Jan-2011 09:50:15.296 dnssec: debug 3: validating @0xf7d658e0: dlv.isc.org SOA: keyset with trust 8 19-Jan-2011 09:50:15.296 dnssec: debug 3: validating @0xf7d648d8: debian.org.dlv.isc.org DLV: in fetch_callback_validator 19-Jan-2011 09:50:15.296 dnssec: debug 3: validating @0xf7d648d8: debian.org.dlv.isc.org DLV: keyset with trust 8 19-Jan-2011 09:50:15.296 dnssec: debug 3: validating @0xf7d658e0: dlv.isc.org SOA: resuming validate 19-Jan-2011 09:50:15.296 dnssec: debug 3: validating @0xf7d648d8: debian.org.dlv.isc.org DLV: resuming validate 19-Jan-2011 09:50:15.297 dnssec: debug 3: validating @0xf7d658e0: dlv.isc.org SOA: verify rdataset (keyid=64263): success 19-Jan-2011 09:50:15.297 dnssec: debug 3: validating @0xf7d658e0: dlv.isc.org SOA: marking as secure 19-Jan-2011 09:50:15.297 dnssec: debug 3: validator @0xf7d658e0: dns_validator_destroy 19-Jan-2011 09:50:15.297 dnssec: debug 3: validating @0xf7d5c898: dlv.isc.org DLV: in authvalidated 19-Jan-2011 09:50:15.297 dnssec: debug 3: validating @0xf7d5c898: dlv.isc.org DLV: resuming nsecvalidate 19-Jan-2011 09:50:15.297 dnssec: debug 3: validating @0xf7d4e828: dlv.isc.org NSEC: starting 19-Jan-2011 09:50:15.297 dnssec: debug 3: validating @0xf7d4e828: dlv.isc.org NSEC: attempting positive response validation 19-Jan-2011 09:50:15.297 dnssec: debug 3: validating @0xf7d648d8: debian.org.dlv.isc.org DLV: verify rdataset (keyid=64263): success 19-Jan-2011 09:50:15.297 dnssec: debug 3: validating @0xf7d4e828: dlv.isc.org NSEC: keyset with trust 8 19-Jan-2011 09:50:15.297 dnssec: debug 3: validating @0xf7d648d8: debian.org.dlv.isc.org DLV: marking as secure 19-Jan-2011 09:50:15.297 dnssec: debug 3: validator @0xf7d648d8: dns_validator_destroy 19-Jan-2011 09:50:15.297 dnssec: debug 3: validating @0xf7aaadd0: debian.org NS: in dlvfetched: success 19-Jan-2011 09:50:15.297 dnssec: debug 3: validating @0xf7aaadd0: debian.org NS: DLV debian.org found 19-Jan-2011 09:50:15.297 dnssec: debug 3: validating @0xf7aaadd0: debian.org NS: dlv_validator_start 19-Jan-2011 09:50:15.297 dnssec: debug 3: validating @0xf7aaadd0: debian.org NS: restarting using DLV 19-Jan-2011 09:50:15.297 dnssec: debug 3: validating @0xf7aaadd0: debian.org NS: attempting positive response validation 19-Jan-2011 09:50:15.298 dnssec: debug 3: validating @0xf7d4e828: dlv.isc.org NSEC: verify rdataset (keyid=64263): success 19-Jan-2011 09:50:15.298 dnssec: debug 3: validating @0xf7d4e828: dlv.isc.org NSEC: marking as secure 19-Jan-2011 09:50:15.298 dnssec: debug 3: validator @0xf7d4e828: dns_validator_destroy 19-Jan-2011 09:50:15.298 dnssec: debug 3: validating @0xf7d5c898: dlv.isc.org DLV: in authvalidated 19-Jan-2011 09:50:15.298 dnssec: debug 3: validating @0xf7d5c898: dlv.isc.org DLV: looking for relevant nsec 19-Jan-2011 09:50:15.298 dnssec: debug 3: validating @0xf7d5c898: dlv.isc.org DLV: nsec proves name exists (owner) data=0 19-Jan-2011 09:50:15.298 dnssec: debug 3: validating @0xf7d5c898: dlv.isc.org DLV: resuming nsecvalidate 19-Jan-2011 09:50:15.298 dnssec: debug 3: validating @0xf7d5c898: dlv.isc.org DLV: nonexistence proof(s) found 19-Jan-2011 09:50:15.298 dnssec: debug 3: validator @0xf7d5c898: dns_validator_destroy 19-Jan-2011 09:50:15.298 dnssec: debug 3: validating @0xf7a63bc8: . NS: in dlvfetched: ncache nxrrset 19-Jan-2011 09:50:15.298 dnssec: debug 3: validating @0xf7a63bc8: . NS: DLV not found 19-Jan-2011 09:50:15.298 dnssec: debug 3: validating @0xf7a63bc8: . NS: marking as answer (dlvfetched (3)) 19-Jan-2011 09:50:15.298 dnssec: debug 3: validator @0xf7a63bc8: dns_validator_destroy 19-Jan-2011 09:50:15.415 dnssec: debug 3: validating @0xf7a63bc8: debian.org DNSKEY: starting 19-Jan-2011 09:50:15.415 dnssec: debug 3: validating @0xf7a63bc8: debian.org DNSKEY: looking for DLV 19-Jan-2011 09:50:15.415 dnssec: debug 3: validating @0xf7a63bc8: debian.org DNSKEY: plain DNSSEC returns unsecure (.): looking for DLV 19-Jan-2011 09:50:15.415 dnssec: debug 3: validating @0xf7a63bc8: debian.org DNSKEY: looking for DLV debian.org.dlv.isc.org 19-Jan-2011 09:50:15.415 dnssec: debug 3: validating @0xf7a63bc8: debian.org DNSKEY: DLV debian.org found 19-Jan-2011 09:50:15.415 dnssec: debug 3: validating @0xf7a63bc8: debian.org DNSKEY: dlv_validator_start 19-Jan-2011 09:50:15.415 dnssec: debug 3: validating @0xf7a63bc8: debian.org DNSKEY: restarting using DLV 19-Jan-2011 09:50:15.415 dnssec: debug 3: validating @0xf7a63bc8: debian.org DNSKEY: attempting positive response validation 19-Jan-2011 09:50:15.415 dnssec: debug 3: validating @0xf7a63bc8: debian.org DNSKEY: dlv_validatezonekey 19-Jan-2011 09:50:15.416 dnssec: debug 3: validating @0xf7a63bc8: debian.org DNSKEY: Found matching DLV record: checking for signature 19-Jan-2011 09:50:15.416 dnssec: debug 3: validating @0xf7a63bc8: debian.org DNSKEY: verify rdataset (keyid=5283): success 19-Jan-2011 09:50:15.416 dnssec: debug 3: validating @0xf7a63bc8: debian.org DNSKEY: marking as secure 19-Jan-2011 09:50:15.416 dnssec: debug 3: validator @0xf7a63bc8: dns_validator_destroy 19-Jan-2011 09:50:15.416 dnssec: debug 3: validating @0xf7aaadd0: debian.org NS: in fetch_callback_validator 19-Jan-2011 09:50:15.416 dnssec: debug 3: validating @0xf7aaadd0: debian.org NS: keyset with trust 8 19-Jan-2011 09:50:15.416 dnssec: debug 3: validating @0xf7aaadd0: debian.org NS: resuming validate 19-Jan-2011 09:50:15.416 dnssec: debug 3: validating @0xf7aaadd0: debian.org NS: verify rdataset (keyid=42257): success 19-Jan-2011 09:50:15.416 dnssec: debug 3: validating @0xf7aaadd0: debian.org NS: marking as secure 19-Jan-2011 09:50:15.416 dnssec: debug 3: validator @0xf7aaadd0: dns_validator_destroy 19-Jan-2011 09:50:25.796 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: starting 19-Jan-2011 09:50:25.796 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: looking for DLV 19-Jan-2011 09:50:25.796 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: plain DNSSEC returns unsecure (.): looking for DLV 19-Jan-2011 09:50:25.796 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: looking for DLV www.debian.org.dlv.isc.org 19-Jan-2011 09:50:25.796 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: DLV lookup: wait 19-Jan-2011 09:50:25.831 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org.dlv.isc.org DLV: starting 19-Jan-2011 09:50:25.831 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org.dlv.isc.org DLV: attempting negative response validation 19-Jan-2011 09:50:25.831 dnssec: debug 3: validating @0xf7d6d920: dlv.isc.org SOA: starting 19-Jan-2011 09:50:25.831 dnssec: debug 3: validating @0xf7d6d920: dlv.isc.org SOA: attempting positive response validation 19-Jan-2011 09:50:25.831 dnssec: debug 3: validating @0xf7d6d920: dlv.isc.org SOA: keyset with trust 8 19-Jan-2011 09:50:25.832 dnssec: debug 3: validating @0xf7d6d920: dlv.isc.org SOA: verify rdataset (keyid=64263): success 19-Jan-2011 09:50:25.832 dnssec: debug 3: validating @0xf7d6d920: dlv.isc.org SOA: marking as secure 19-Jan-2011 09:50:25.832 dnssec: debug 3: validator @0xf7d6d920: dns_validator_destroy 19-Jan-2011 09:50:25.832 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org.dlv.isc.org DLV: in authvalidated 19-Jan-2011 09:50:25.832 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org.dlv.isc.org DLV: resuming nsecvalidate 19-Jan-2011 09:50:25.832 dnssec: debug 3: validating @0xf7d6d920: debian.org.dlv.isc.org NSEC: starting 19-Jan-2011 09:50:25.832 dnssec: debug 3: validating @0xf7d6d920: debian.org.dlv.isc.org NSEC: attempting positive response validation 19-Jan-2011 09:50:25.832 dnssec: debug 3: validating @0xf7d6d920: debian.org.dlv.isc.org NSEC: keyset with trust 8 19-Jan-2011 09:50:25.832 dnssec: debug 3: validating @0xf7d6d920: debian.org.dlv.isc.org NSEC: verify rdataset (keyid=64263): success 19-Jan-2011 09:50:25.832 dnssec: debug 3: validating @0xf7d6d920: debian.org.dlv.isc.org NSEC: marking as secure 19-Jan-2011 09:50:25.832 dnssec: debug 3: validator @0xf7d6d920: dns_validator_destroy 19-Jan-2011 09:50:25.832 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org.dlv.isc.org DLV: in authvalidated 19-Jan-2011 09:50:25.832 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org.dlv.isc.org DLV: looking for relevant nsec 19-Jan-2011 09:50:25.832 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org.dlv.isc.org DLV: nsec range ok 19-Jan-2011 09:50:25.832 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org.dlv.isc.org DLV: resuming nsecvalidate 19-Jan-2011 09:50:25.832 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org.dlv.isc.org DLV: in checkwildcard: *.debian.org.dlv.isc.org 19-Jan-2011 09:50:25.832 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org.dlv.isc.org DLV: looking for relevant nsec 19-Jan-2011 09:50:25.833 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org.dlv.isc.org DLV: nsec range ok 19-Jan-2011 09:50:25.833 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org.dlv.isc.org DLV: nonexistence proof(s) found 19-Jan-2011 09:50:25.833 dnssec: debug 3: validator @0xf7aaadd0: dns_validator_destroy 19-Jan-2011 09:50:25.833 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: in dlvfetched: ncache nxdomain 19-Jan-2011 09:50:25.833 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: looking for DLV debian.org.dlv.isc.org 19-Jan-2011 09:50:25.833 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: DLV debian.org found 19-Jan-2011 09:50:25.833 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: dlv_validator_start 19-Jan-2011 09:50:25.833 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: restarting using DLV 19-Jan-2011 09:50:25.833 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: attempting positive response validation 19-Jan-2011 09:50:25.864 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: starting 19-Jan-2011 09:50:25.865 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: looking for DLV 19-Jan-2011 09:50:25.865 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: plain DNSSEC returns unsecure (.): looking for DLV 19-Jan-2011 09:50:25.865 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: looking for DLV www.debian.org.dlv.isc.org 19-Jan-2011 09:50:25.865 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: looking for DLV debian.org.dlv.isc.org 19-Jan-2011 09:50:25.865 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: DLV debian.org found 19-Jan-2011 09:50:25.865 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: dlv_validator_start 19-Jan-2011 09:50:25.865 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: restarting using DLV 19-Jan-2011 09:50:25.865 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: attempting positive response validation 19-Jan-2011 09:50:25.865 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: not beneath secure root 19-Jan-2011 09:50:25.865 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: marking as answer (validatezonekey (1)) 19-Jan-2011 09:50:25.865 dnssec: debug 3: validator @0xf7aaadd0: dns_validator_destroy 19-Jan-2011 09:50:25.865 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: in fetch_callback_validator 19-Jan-2011 09:50:25.865 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: keyset with trust 5 19-Jan-2011 09:50:25.865 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: resuming validate 19-Jan-2011 09:50:25.865 dnssec: info: validating @0xf7a63bc8: www.debian.org NS: no valid signature found 19-Jan-2011 09:50:25.865 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: falling back to insecurity proof 19-Jan-2011 09:50:25.865 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: checking existence of DS at 'www.debian.org' 19-Jan-2011 09:50:25.986 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DS: starting 19-Jan-2011 09:50:25.986 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DS: looking for DLV 19-Jan-2011 09:50:25.986 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DS: plain DNSSEC returns unsecure (.): looking for DLV 19-Jan-2011 09:50:25.986 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DS: looking for DLV debian.org.dlv.isc.org 19-Jan-2011 09:50:25.986 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DS: DLV debian.org found 19-Jan-2011 09:50:25.986 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DS: dlv_validator_start 19-Jan-2011 09:50:25.987 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DS: restarting using DLV 19-Jan-2011 09:50:25.987 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DS: attempting positive response validation 19-Jan-2011 09:50:25.987 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DS: keyset with trust 8 19-Jan-2011 09:50:25.987 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DS: verify rdataset (keyid=42257): success 19-Jan-2011 09:50:25.987 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DS: marking as secure 19-Jan-2011 09:50:25.987 dnssec: debug 3: validator @0xf7aaadd0: dns_validator_destroy 19-Jan-2011 09:50:25.987 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: in dsfetched2: success 19-Jan-2011 09:50:25.987 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: resuming proveunsecure 19-Jan-2011 09:50:25.987 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: insecurity proof failed 19-Jan-2011 09:50:25.987 dnssec: debug 3: validator @0xf7a63bc8: dns_validator_destroy 19-Jan-2011 09:50:26.142 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: starting 19-Jan-2011 09:50:26.142 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: looking for DLV 19-Jan-2011 09:50:26.142 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: plain DNSSEC returns unsecure (.): looking for DLV 19-Jan-2011 09:50:26.142 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: looking for DLV www.debian.org.dlv.isc.org 19-Jan-2011 09:50:26.142 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: looking for DLV debian.org.dlv.isc.org 19-Jan-2011 09:50:26.142 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: DLV debian.org found 19-Jan-2011 09:50:26.142 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: dlv_validator_start 19-Jan-2011 09:50:26.142 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: restarting using DLV 19-Jan-2011 09:50:26.142 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: attempting positive response validation 19-Jan-2011 09:50:26.142 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: starting 19-Jan-2011 09:50:26.142 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: attempting positive response validation 19-Jan-2011 09:50:26.142 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: not beneath secure root 19-Jan-2011 09:50:26.142 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: plain DNSSEC returns unsecure (.): looking for DLV 19-Jan-2011 09:50:26.142 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: looking for DLV www.debian.org.dlv.isc.org 19-Jan-2011 09:50:26.142 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: looking for DLV debian.org.dlv.isc.org 19-Jan-2011 09:50:26.142 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: DLV debian.org found 19-Jan-2011 09:50:26.143 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: dlv_validator_start 19-Jan-2011 09:50:26.143 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: restarting using DLV 19-Jan-2011 09:50:26.143 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: attempting positive response validation 19-Jan-2011 09:50:26.143 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: not beneath secure root 19-Jan-2011 09:50:26.143 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: marking as answer (validatezonekey (1)) 19-Jan-2011 09:50:26.143 dnssec: debug 3: validator @0xf7aaadd0: dns_validator_destroy 19-Jan-2011 09:50:26.143 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: in keyvalidated 19-Jan-2011 09:50:26.143 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: keyset with trust 5 19-Jan-2011 09:50:26.143 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: resuming validate 19-Jan-2011 09:50:26.143 dnssec: info: validating @0xf7a63bc8: www.debian.org NS: no valid signature found 19-Jan-2011 09:50:26.143 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: falling back to insecurity proof 19-Jan-2011 09:50:26.143 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: checking existence of DS at 'www.debian.org' 19-Jan-2011 09:50:26.143 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: insecurity proof failed 19-Jan-2011 09:50:26.143 dnssec: debug 3: validator @0xf7a63bc8: dns_validator_destroy 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: starting 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: looking for DLV 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: plain DNSSEC returns unsecure (.): looking for DLV 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: looking for DLV www.debian.org.dlv.isc.org 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: looking for DLV debian.org.dlv.isc.org 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: DLV debian.org found 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: dlv_validator_start 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: restarting using DLV 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: attempting positive response validation 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: starting 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: attempting positive response validation 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: not beneath secure root 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: plain DNSSEC returns unsecure (.): looking for DLV 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: looking for DLV www.debian.org.dlv.isc.org 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: looking for DLV debian.org.dlv.isc.org 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: DLV debian.org found 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: dlv_validator_start 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: restarting using DLV 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: attempting positive response validation 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: not beneath secure root 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: marking as answer (validatezonekey (1)) 19-Jan-2011 09:50:26.174 dnssec: debug 3: validator @0xf7aaadd0: dns_validator_destroy 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: in keyvalidated 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: keyset with trust 5 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: resuming validate 19-Jan-2011 09:50:26.174 dnssec: info: validating @0xf7a63bc8: www.debian.org NS: no valid signature found 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: falling back to insecurity proof 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: checking existence of DS at 'www.debian.org' 19-Jan-2011 09:50:26.174 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: insecurity proof failed 19-Jan-2011 09:50:26.174 dnssec: debug 3: validator @0xf7a63bc8: dns_validator_destroy 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: starting 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: looking for DLV 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: plain DNSSEC returns unsecure (.): looking for DLV 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: looking for DLV www.debian.org.dlv.isc.org 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: looking for DLV debian.org.dlv.isc.org 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: DLV debian.org found 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: dlv_validator_start 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: restarting using DLV 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: attempting positive response validation 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: starting 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: attempting positive response validation 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: not beneath secure root 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: plain DNSSEC returns unsecure (.): looking for DLV 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: looking for DLV www.debian.org.dlv.isc.org 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: looking for DLV debian.org.dlv.isc.org 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: DLV debian.org found 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: dlv_validator_start 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: restarting using DLV 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: attempting positive response validation 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: not beneath secure root 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: marking as answer (validatezonekey (1)) 19-Jan-2011 09:50:26.365 dnssec: debug 3: validator @0xf7aaadd0: dns_validator_destroy 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: in keyvalidated 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: keyset with trust 5 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: resuming validate 19-Jan-2011 09:50:26.365 dnssec: info: validating @0xf7a63bc8: www.debian.org NS: no valid signature found 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: falling back to insecurity proof 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: checking existence of DS at 'www.debian.org' 19-Jan-2011 09:50:26.365 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: insecurity proof failed 19-Jan-2011 09:50:26.365 dnssec: debug 3: validator @0xf7a63bc8: dns_validator_destroy 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: starting 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: looking for DLV 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: plain DNSSEC returns unsecure (.): looking for DLV 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: looking for DLV www.debian.org.dlv.isc.org 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: looking for DLV debian.org.dlv.isc.org 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: DLV debian.org found 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: dlv_validator_start 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: restarting using DLV 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: attempting positive response validation 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: starting 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: attempting positive response validation 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: not beneath secure root 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: plain DNSSEC returns unsecure (.): looking for DLV 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: looking for DLV www.debian.org.dlv.isc.org 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: looking for DLV debian.org.dlv.isc.org 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: DLV debian.org found 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: dlv_validator_start 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: restarting using DLV 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: attempting positive response validation 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: not beneath secure root 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: marking as answer (validatezonekey (1)) 19-Jan-2011 09:50:26.420 dnssec: debug 3: validator @0xf7aaadd0: dns_validator_destroy 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: in keyvalidated 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: keyset with trust 5 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: resuming validate 19-Jan-2011 09:50:26.420 dnssec: info: validating @0xf7a63bc8: www.debian.org NS: no valid signature found 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: falling back to insecurity proof 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: checking existence of DS at 'www.debian.org' 19-Jan-2011 09:50:26.420 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: insecurity proof failed 19-Jan-2011 09:50:26.420 dnssec: debug 3: validator @0xf7a63bc8: dns_validator_destroy 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: starting 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: looking for DLV 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: plain DNSSEC returns unsecure (.): looking for DLV 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: looking for DLV www.debian.org.dlv.isc.org 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: looking for DLV debian.org.dlv.isc.org 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: DLV debian.org found 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: dlv_validator_start 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: restarting using DLV 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: attempting positive response validation 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: starting 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: attempting positive response validation 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: not beneath secure root 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: plain DNSSEC returns unsecure (.): looking for DLV 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: looking for DLV www.debian.org.dlv.isc.org 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: looking for DLV debian.org.dlv.isc.org 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: DLV debian.org found 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: dlv_validator_start 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: restarting using DLV 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: attempting positive response validation 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: not beneath secure root 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7aaadd0: www.debian.org DNSKEY: marking as answer (validatezonekey (1)) 19-Jan-2011 09:50:26.441 dnssec: debug 3: validator @0xf7aaadd0: dns_validator_destroy 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: in keyvalidated 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: keyset with trust 5 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: resuming validate 19-Jan-2011 09:50:26.441 dnssec: info: validating @0xf7a63bc8: www.debian.org NS: no valid signature found 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: falling back to insecurity proof 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: checking existence of DS at 'www.debian.org' 19-Jan-2011 09:50:26.441 dnssec: debug 3: validating @0xf7a63bc8: www.debian.org NS: insecurity proof failed 19-Jan-2011 09:50:26.441 dnssec: debug 3: validator @0xf7a63bc8: dns_validator_destroy
