Package: dnsutils Version: 1:9.7.3.dfsg-1+b1 Followup-For: Bug #596334
The original problem with debian.org seems solved, but i am still running into trouble with other domains. mbelow@ossietzky:~/tmp$ dig +topdown +sigchase +trusted-key=./root.keys +multiline -ta tech-nerds-dnssec.de Launch a query to find a RRset of type A for zone: tech-nerds-dnssec.de with nameservers: . 66815 IN NS a.root-servers.net. 66815 IN NS b.root-servers.net. 66815 IN NS c.root-servers.net. 66815 IN NS d.root-servers.net. 66815 IN NS e.root-servers.net. 66815 IN NS f.root-servers.net. 66815 IN NS g.root-servers.net. 66815 IN NS h.root-servers.net. 66815 IN NS i.root-servers.net. 66815 IN NS j.root-servers.net. 66815 IN NS k.root-servers.net. 66815 IN NS l.root-servers.net. 66815 IN NS m.root-servers.net. Launch a query to find a RRset of type DNSKEY for zone: . ;; DNSKEYset: . 153223 IN DNSKEY 257 3 8 ( AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ) ; key id = 19036 153223 IN DNSKEY 256 3 8 ( AwEAAcaGQEA+OJmOzfzVfoYN249JId7gx+OZMbxy69Hf UyuGBbRN0+HuTOpBxxBCkNOL+EJB9qJxt+0FEY6ZUVjE g58sRr4ZQ6Iu6b1xTBKgc193zUARk4mmQ/PPGxn7Cn5V EGJ/1h6dNaiXuRHwR+7oWh7DnzkIJChcTqlFrXDW3tjt ) ; key id = 34525 ;; RRSIG of the DNSKEYset: . 153223 IN RRSIG DNSKEY 8 0 172800 20110614235959 ( 20110531000000 19036 . JcMmvixp872aO2svusRIBLc7diH3ECGPBKBYaO0jiFQB 6xJiMmrYpti+yk8u1Uwoo53HZusF+FRn5pMNu9B2j1fv OMPU2o/GrDMk7oy4/iNnRszoHO1CWhjBL7CwdxCsq3dB vFlwtLy3mdy6FaHro9AjwhxZfHJ/ot36VjLkjLHIAYqs 8iRAyABE9t33xe0tuwqX4XZet/1dL8eXb6Cm+9hPtssk iVI4pvTv2vE5MFOOnNYk7SfDFOZwHtTtdWQrMfHPbRiU 8XMsK0OaUPq1D+i1eIcunbb9EL4mmexd7NcdzEJQcrS1 UtJ8OLoaMByCYO7f2d8wq98fR8hGhDnYjg== ) ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036 ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success ;; We are in a Grand Father Problem: See 2.2.1 in RFC 3568 ;; and we try to continue chain of trust validation of the zone: de. Launch a query to find a RRset of type NS for zone: de. ;; DNSKEYset: . 153223 IN DNSKEY 257 3 8 ( AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ) ; key id = 19036 153223 IN DNSKEY 256 3 8 ( AwEAAcaGQEA+OJmOzfzVfoYN249JId7gx+OZMbxy69Hf UyuGBbRN0+HuTOpBxxBCkNOL+EJB9qJxt+0FEY6ZUVjE g58sRr4ZQ6Iu6b1xTBKgc193zUARk4mmQ/PPGxn7Cn5V EGJ/1h6dNaiXuRHwR+7oWh7DnzkIJChcTqlFrXDW3tjt ) ; key id = 34525 ;; RRSIG of the DNSKEYset: . 153223 IN RRSIG DNSKEY 8 0 172800 20110614235959 ( 20110531000000 19036 . JcMmvixp872aO2svusRIBLc7diH3ECGPBKBYaO0jiFQB 6xJiMmrYpti+yk8u1Uwoo53HZusF+FRn5pMNu9B2j1fv OMPU2o/GrDMk7oy4/iNnRszoHO1CWhjBL7CwdxCsq3dB vFlwtLy3mdy6FaHro9AjwhxZfHJ/ot36VjLkjLHIAYqs 8iRAyABE9t33xe0tuwqX4XZet/1dL8eXb6Cm+9hPtssk iVI4pvTv2vE5MFOOnNYk7SfDFOZwHtTtdWQrMfHPbRiU 8XMsK0OaUPq1D+i1eIcunbb9EL4mmexd7NcdzEJQcrS1 UtJ8OLoaMByCYO7f2d8wq98fR8hGhDnYjg== ) Launch a query to find a RRset of type DS for zone: de. ;; DNSKEYset: . 153223 IN DNSKEY 257 3 8 ( AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ) ; key id = 19036 153223 IN DNSKEY 256 3 8 ( AwEAAcaGQEA+OJmOzfzVfoYN249JId7gx+OZMbxy69Hf UyuGBbRN0+HuTOpBxxBCkNOL+EJB9qJxt+0FEY6ZUVjE g58sRr4ZQ6Iu6b1xTBKgc193zUARk4mmQ/PPGxn7Cn5V EGJ/1h6dNaiXuRHwR+7oWh7DnzkIJChcTqlFrXDW3tjt ) ; key id = 34525 ;; RRSIG of the DNSKEYset: . 153223 IN RRSIG DNSKEY 8 0 172800 20110614235959 ( 20110531000000 19036 . JcMmvixp872aO2svusRIBLc7diH3ECGPBKBYaO0jiFQB 6xJiMmrYpti+yk8u1Uwoo53HZusF+FRn5pMNu9B2j1fv OMPU2o/GrDMk7oy4/iNnRszoHO1CWhjBL7CwdxCsq3dB vFlwtLy3mdy6FaHro9AjwhxZfHJ/ot36VjLkjLHIAYqs 8iRAyABE9t33xe0tuwqX4XZet/1dL8eXb6Cm+9hPtssk iVI4pvTv2vE5MFOOnNYk7SfDFOZwHtTtdWQrMfHPbRiU 8XMsK0OaUPq1D+i1eIcunbb9EL4mmexd7NcdzEJQcrS1 UtJ8OLoaMByCYO7f2d8wq98fR8hGhDnYjg== ) ;; DSset: de. 66848 IN DS 24220 8 2 ( FFE926ACA67ED94089390250F1F294AC84A6D84F9121 DF73A79E439F42E820C2 ) ;; RRSIGset of DSset de. 66848 IN RRSIG DS 8 1 86400 20110615000000 ( 20110607230000 34525 . fpgK5CcqbR5uTu5n2nXUzj7XHZfSG8ktKRU+qd43kp5J 8hRESVVKS/YNXjb5qNF7U9fjApD+JJWTM3vT/xfUGIfu gnDF/Z4GmCCnpgO5deVLLmNnyHnvY1sU8bEps1/fV0hx C7j5POq3XWDQgB/cw6QmivmV90uIbp6liaVpfuw= ) ;; VERIFYING DS RRset for de. with DNSKEY:34525: success Launch a query to find a RRset of type A for zone: tech-nerds-dnssec.de with nameservers: de. 85973 IN NS s.de.net. 85973 IN NS z.nic.de. 85973 IN NS f.nic.de. 85973 IN NS a.nic.de. 85973 IN NS l.de.net. Launch a query to find a RRset of type DNSKEY for zone: de. ;; DNSKEYset: de. 2468 IN DNSKEY 257 3 8 ( AwEAAYbcKo2IA8l6arSIiSC+l97v2vgNXrxjBJK+XkX5 FYMPDfr2QgtUMHfjLPfMKiSxEXT0uL+SucI1ohv5I0C/ pgz9e9NFDhMCpHLPA5s9LIzQMHEs7Y+idlsRnBKe9Kw/ B1RxzSZKxMd8UyAeA6j0vlZIKrokc1nr4ouvDhoYR3JD d7vCcvV08EIuaPgL0ijUYk071OOjRFG+waRZnVPAwFZs gDIgBJqDl/nRVRBI8k3YFVPka6Rls/EIDYloqG+X5VZC /VXbBb7fams8misz3MsLeVy/fiH0j8SJMAZSbQxqo+/z WUJogl4Tyb5TbT1LRTfbyxII2zQ/ATXocWOohSU= ) ; key id = 24220 2468 IN DNSKEY 256 3 8 ( AwEAAYjRbUmLGRM0PJrRVHGO0JhbgTNXQEEfLXbyIqac i3l4cWyJEYIYFIRwNjFHjF/KvIcUwD+p0/M/QUHuFK96 /1w25/Hvo6BXSNtp7EWSOcXCAGB01OFwrBgzIt1IlYZa t5+Gmwow13c9YlnF5xj9jl5df1fBuIaU5Y0Tz9eetAxt ) ; key id = 55686 ;; RRSIG of the DNSKEYset: de. 2468 IN RRSIG DNSKEY 8 1 7200 20110623120000 ( 20110602120000 24220 de. NB/RwoJBN8tSJAVsje1+mjZydgY1/mx2SlKOjxCLcCCC 657zW8WEfoemtOfAU/YqPgmljRhX3G4Yg++xAgUsEvL3 ed3H154P7YKIqznMfzqCDK12w2JdoJj3XCqBjj/IHUcu hesL/dtGap/zJbCvhn+CAPhQLyDqon3PJ0V3TgzSx9oe a1EQ7/2rKJEBsSnu1lLA0a4onF9I5QpoMF8vW6DhSwVs jzmGvIEvGSYsrUYlhBHe59TiAN556G8ietK1VxRsFEXb OXPFe7mLrN0N1oi9rnjo2JsktBDmWCZBnBPMdTNRxAFD EtAdqpfcrpsbIGgvaxN3WkWWOmVLHlp9Kg== ) ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for de. with DNSKEY:24220: success ;; We are in a Grand Father Problem: See 2.2.1 in RFC 3568 ;; ERROR : tech-nerds-dnssec.de. is not a subdomain of: de. FAILED name.c:2144: REQUIRE(source->length > 0) failed, back trace #0 0x7f0ba360a9d6 in ?? #1 0x7f0ba360a93a in ?? #2 0x7f0ba49ea70d in ?? #3 0x7f0ba514c991 in ?? #4 0x7f0ba5150ad7 in ?? #5 0x7f0ba5152b78 in ?? #6 0x7f0ba36287a8 in ?? #7 0x7f0ba31e1b40 in ?? #8 0x7f0ba2bd028d in ?? Abgebrochen -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (900, 'testing'), (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable'), (10, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages dnsutils depends on: ii bind9-host [host] 1:9.7.3.dfsg-1+b1 Version of 'host' bundled with BIN ii libbind9-60 1:9.7.3.dfsg-1+b1 BIND9 Shared Library used by BIND ii libc6 2.13-4 Embedded GNU C Library: Shared lib ii libcap2 1:2.21-1 support for getting/setting POSIX. ii libcomerr2 1.41.12-4 common error description library ii libdns69 1:9.7.3.dfsg-1+b1 DNS Shared Library used by BIND ii libgssapi-krb5-2 1.9+dfsg-1+b1 MIT Kerberos runtime libraries - k ii libisc62 1:9.7.3.dfsg-1+b1 ISC Shared Library used by BIND ii libisccfg62 1:9.7.3.dfsg-1+b1 Config File Handling Library used ii libk5crypto3 1.9+dfsg-1+b1 MIT Kerberos runtime libraries - C ii libkrb5-3 1.9+dfsg-1+b1 MIT Kerberos runtime libraries ii liblwres60 1:9.7.3.dfsg-1+b1 Lightweight Resolver Library used ii libssl1.0.0 1.0.0d-2 SSL shared libraries ii libxml2 2.7.8.dfsg-3 GNOME XML library dnsutils recommends no packages. Versions of packages dnsutils suggests: pn rblcheck <none> (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org