Package: dnsutils
Version: 1:9.7.3.dfsg-1+b1
Followup-For: Bug #596334
The original problem with debian.org seems solved, but i am still
running into trouble with other domains.
mbelow@ossietzky:~/tmp$ dig +topdown +sigchase
+trusted-key=./root.keys +multiline -ta tech-nerds-dnssec.de
Launch a query to find a RRset of type A for zone:
tech-nerds-dnssec.de with nameservers:
. 66815 IN NS a.root-servers.net.
66815 IN NS b.root-servers.net.
66815 IN NS c.root-servers.net.
66815 IN NS d.root-servers.net.
66815 IN NS e.root-servers.net.
66815 IN NS f.root-servers.net.
66815 IN NS g.root-servers.net.
66815 IN NS h.root-servers.net.
66815 IN NS i.root-servers.net.
66815 IN NS j.root-servers.net.
66815 IN NS k.root-servers.net.
66815 IN NS l.root-servers.net.
66815 IN NS m.root-servers.net.
Launch a query to find a RRset of type DNSKEY for zone: .
;; DNSKEYset:
. 153223 IN DNSKEY 257 3 8 (
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
) ; key id = 19036
153223 IN DNSKEY 256 3 8 (
AwEAAcaGQEA+OJmOzfzVfoYN249JId7gx+OZMbxy69Hf
UyuGBbRN0+HuTOpBxxBCkNOL+EJB9qJxt+0FEY6ZUVjE
g58sRr4ZQ6Iu6b1xTBKgc193zUARk4mmQ/PPGxn7Cn5V
EGJ/1h6dNaiXuRHwR+7oWh7DnzkIJChcTqlFrXDW3tjt
) ; key id = 34525
;; RRSIG of the DNSKEYset:
. 153223 IN RRSIG DNSKEY 8 0 172800
20110614235959 (
20110531000000 19036 .
JcMmvixp872aO2svusRIBLc7diH3ECGPBKBYaO0jiFQB
6xJiMmrYpti+yk8u1Uwoo53HZusF+FRn5pMNu9B2j1fv
OMPU2o/GrDMk7oy4/iNnRszoHO1CWhjBL7CwdxCsq3dB
vFlwtLy3mdy6FaHro9AjwhxZfHJ/ot36VjLkjLHIAYqs
8iRAyABE9t33xe0tuwqX4XZet/1dL8eXb6Cm+9hPtssk
iVI4pvTv2vE5MFOOnNYk7SfDFOZwHtTtdWQrMfHPbRiU
8XMsK0OaUPq1D+i1eIcunbb9EL4mmexd7NcdzEJQcrS1
UtJ8OLoaMByCYO7f2d8wq98fR8hGhDnYjg==
)
;; Ok, find a Trusted Key in the DNSKEY RRset: 19036
;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success
;; We are in a Grand Father Problem: See 2.2.1 in RFC 3568
;; and we try to continue chain of trust validation of the zone:
de.
Launch a query to find a RRset of type NS for zone: de.
;; DNSKEYset:
. 153223 IN DNSKEY 257 3 8 (
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
) ; key id = 19036
153223 IN DNSKEY 256 3 8 (
AwEAAcaGQEA+OJmOzfzVfoYN249JId7gx+OZMbxy69Hf
UyuGBbRN0+HuTOpBxxBCkNOL+EJB9qJxt+0FEY6ZUVjE
g58sRr4ZQ6Iu6b1xTBKgc193zUARk4mmQ/PPGxn7Cn5V
EGJ/1h6dNaiXuRHwR+7oWh7DnzkIJChcTqlFrXDW3tjt
) ; key id = 34525
;; RRSIG of the DNSKEYset:
. 153223 IN RRSIG DNSKEY 8 0 172800
20110614235959 (
20110531000000 19036 .
JcMmvixp872aO2svusRIBLc7diH3ECGPBKBYaO0jiFQB
6xJiMmrYpti+yk8u1Uwoo53HZusF+FRn5pMNu9B2j1fv
OMPU2o/GrDMk7oy4/iNnRszoHO1CWhjBL7CwdxCsq3dB
vFlwtLy3mdy6FaHro9AjwhxZfHJ/ot36VjLkjLHIAYqs
8iRAyABE9t33xe0tuwqX4XZet/1dL8eXb6Cm+9hPtssk
iVI4pvTv2vE5MFOOnNYk7SfDFOZwHtTtdWQrMfHPbRiU
8XMsK0OaUPq1D+i1eIcunbb9EL4mmexd7NcdzEJQcrS1
UtJ8OLoaMByCYO7f2d8wq98fR8hGhDnYjg==
)
Launch a query to find a RRset of type DS for zone: de.
;; DNSKEYset:
. 153223 IN DNSKEY 257 3 8 (
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
) ; key id = 19036
153223 IN DNSKEY 256 3 8 (
AwEAAcaGQEA+OJmOzfzVfoYN249JId7gx+OZMbxy69Hf
UyuGBbRN0+HuTOpBxxBCkNOL+EJB9qJxt+0FEY6ZUVjE
g58sRr4ZQ6Iu6b1xTBKgc193zUARk4mmQ/PPGxn7Cn5V
EGJ/1h6dNaiXuRHwR+7oWh7DnzkIJChcTqlFrXDW3tjt
) ; key id = 34525
;; RRSIG of the DNSKEYset:
. 153223 IN RRSIG DNSKEY 8 0 172800
20110614235959 (
20110531000000 19036 .
JcMmvixp872aO2svusRIBLc7diH3ECGPBKBYaO0jiFQB
6xJiMmrYpti+yk8u1Uwoo53HZusF+FRn5pMNu9B2j1fv
OMPU2o/GrDMk7oy4/iNnRszoHO1CWhjBL7CwdxCsq3dB
vFlwtLy3mdy6FaHro9AjwhxZfHJ/ot36VjLkjLHIAYqs
8iRAyABE9t33xe0tuwqX4XZet/1dL8eXb6Cm+9hPtssk
iVI4pvTv2vE5MFOOnNYk7SfDFOZwHtTtdWQrMfHPbRiU
8XMsK0OaUPq1D+i1eIcunbb9EL4mmexd7NcdzEJQcrS1
UtJ8OLoaMByCYO7f2d8wq98fR8hGhDnYjg==
)
;; DSset:
de. 66848 IN DS 24220 8 2 (
FFE926ACA67ED94089390250F1F294AC84A6D84F9121
DF73A79E439F42E820C2 )
;; RRSIGset of DSset
de. 66848 IN RRSIG DS 8 1 86400 20110615000000
(
20110607230000 34525 .
fpgK5CcqbR5uTu5n2nXUzj7XHZfSG8ktKRU+qd43kp5J
8hRESVVKS/YNXjb5qNF7U9fjApD+JJWTM3vT/xfUGIfu
gnDF/Z4GmCCnpgO5deVLLmNnyHnvY1sU8bEps1/fV0hx
C7j5POq3XWDQgB/cw6QmivmV90uIbp6liaVpfuw=
)
;; VERIFYING DS RRset for de. with DNSKEY:34525: success
Launch a query to find a RRset of type A for zone:
tech-nerds-dnssec.de with nameservers:
de. 85973 IN NS s.de.net.
85973 IN NS z.nic.de.
85973 IN NS f.nic.de.
85973 IN NS a.nic.de.
85973 IN NS l.de.net.
Launch a query to find a RRset of type DNSKEY for zone: de.
;; DNSKEYset:
de. 2468 IN DNSKEY 257 3 8 (
AwEAAYbcKo2IA8l6arSIiSC+l97v2vgNXrxjBJK+XkX5
FYMPDfr2QgtUMHfjLPfMKiSxEXT0uL+SucI1ohv5I0C/
pgz9e9NFDhMCpHLPA5s9LIzQMHEs7Y+idlsRnBKe9Kw/
B1RxzSZKxMd8UyAeA6j0vlZIKrokc1nr4ouvDhoYR3JD
d7vCcvV08EIuaPgL0ijUYk071OOjRFG+waRZnVPAwFZs
gDIgBJqDl/nRVRBI8k3YFVPka6Rls/EIDYloqG+X5VZC
/VXbBb7fams8misz3MsLeVy/fiH0j8SJMAZSbQxqo+/z
WUJogl4Tyb5TbT1LRTfbyxII2zQ/ATXocWOohSU=
) ; key id = 24220
2468 IN DNSKEY 256 3 8 (
AwEAAYjRbUmLGRM0PJrRVHGO0JhbgTNXQEEfLXbyIqac
i3l4cWyJEYIYFIRwNjFHjF/KvIcUwD+p0/M/QUHuFK96
/1w25/Hvo6BXSNtp7EWSOcXCAGB01OFwrBgzIt1IlYZa
t5+Gmwow13c9YlnF5xj9jl5df1fBuIaU5Y0Tz9eetAxt
) ; key id = 55686
;; RRSIG of the DNSKEYset:
de. 2468 IN RRSIG DNSKEY 8 1 7200
20110623120000 (
20110602120000 24220 de.
NB/RwoJBN8tSJAVsje1+mjZydgY1/mx2SlKOjxCLcCCC
657zW8WEfoemtOfAU/YqPgmljRhX3G4Yg++xAgUsEvL3
ed3H154P7YKIqznMfzqCDK12w2JdoJj3XCqBjj/IHUcu
hesL/dtGap/zJbCvhn+CAPhQLyDqon3PJ0V3TgzSx9oe
a1EQ7/2rKJEBsSnu1lLA0a4onF9I5QpoMF8vW6DhSwVs
jzmGvIEvGSYsrUYlhBHe59TiAN556G8ietK1VxRsFEXb
OXPFe7mLrN0N1oi9rnjo2JsktBDmWCZBnBPMdTNRxAFD
EtAdqpfcrpsbIGgvaxN3WkWWOmVLHlp9Kg==
)
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for de. with DNSKEY:24220: success
;; We are in a Grand Father Problem: See 2.2.1 in RFC 3568
;; ERROR : tech-nerds-dnssec.de. is not a subdomain of: de. FAILED
name.c:2144: REQUIRE(source->length > 0) failed, back trace
#0 0x7f0ba360a9d6 in ??
#1 0x7f0ba360a93a in ??
#2 0x7f0ba49ea70d in ??
#3 0x7f0ba514c991 in ??
#4 0x7f0ba5150ad7 in ??
#5 0x7f0ba5152b78 in ??
#6 0x7f0ba36287a8 in ??
#7 0x7f0ba31e1b40 in ??
#8 0x7f0ba2bd028d in ??
Abgebrochen
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (900, 'testing'), (500, 'stable-updates'), (500,
'proposed-updates'), (500, 'stable'), (10, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages dnsutils depends on:
ii bind9-host [host] 1:9.7.3.dfsg-1+b1 Version of 'host' bundled with BIN
ii libbind9-60 1:9.7.3.dfsg-1+b1 BIND9 Shared Library used by BIND
ii libc6 2.13-4 Embedded GNU C Library: Shared lib
ii libcap2 1:2.21-1 support for getting/setting POSIX.
ii libcomerr2 1.41.12-4 common error description library
ii libdns69 1:9.7.3.dfsg-1+b1 DNS Shared Library used by BIND
ii libgssapi-krb5-2 1.9+dfsg-1+b1 MIT Kerberos runtime libraries - k
ii libisc62 1:9.7.3.dfsg-1+b1 ISC Shared Library used by BIND
ii libisccfg62 1:9.7.3.dfsg-1+b1 Config File Handling Library used
ii libk5crypto3 1.9+dfsg-1+b1 MIT Kerberos runtime libraries - C
ii libkrb5-3 1.9+dfsg-1+b1 MIT Kerberos runtime libraries
ii liblwres60 1:9.7.3.dfsg-1+b1 Lightweight Resolver Library used
ii libssl1.0.0 1.0.0d-2 SSL shared libraries
ii libxml2 2.7.8.dfsg-3 GNOME XML library
dnsutils recommends no packages.
Versions of packages dnsutils suggests:
pn rblcheck <none> (no description available)
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
