Package: dnsutils
Version: 1:9.7.3.dfsg-1+b1
Severity: minor
When trying to validate a DNSSEC domain, dig reports a "Grand
Father Problem", and points to section 2.2.1 of this RFC for
explanation. There is no such section, maybe it is 2.3.1?
The crash afterwards has been reported already as an expansion to bug
#596334.
mbelow@ossietzky:~/tmp$ dig +topdown +sigchase
+trusted-key=./root.keys +multiline -ta tech-nerds-dnssec.de
Launch a query to find a RRset of type A for zone:
tech-nerds-dnssec.de with nameservers:
. 66815 IN NS a.root-servers.net.
66815 IN NS b.root-servers.net.
66815 IN NS c.root-servers.net.
66815 IN NS d.root-servers.net.
66815 IN NS e.root-servers.net.
66815 IN NS f.root-servers.net.
66815 IN NS g.root-servers.net.
66815 IN NS h.root-servers.net.
66815 IN NS i.root-servers.net.
66815 IN NS j.root-servers.net.
66815 IN NS k.root-servers.net.
66815 IN NS l.root-servers.net.
66815 IN NS m.root-servers.net.
Launch a query to find a RRset of type DNSKEY for zone: .
;; DNSKEYset:
. 153223 IN DNSKEY 257 3 8 (
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
) ; key id = 19036
153223 IN DNSKEY 256 3 8 (
AwEAAcaGQEA+OJmOzfzVfoYN249JId7gx+OZMbxy69Hf
UyuGBbRN0+HuTOpBxxBCkNOL+EJB9qJxt+0FEY6ZUVjE
g58sRr4ZQ6Iu6b1xTBKgc193zUARk4mmQ/PPGxn7Cn5V
EGJ/1h6dNaiXuRHwR+7oWh7DnzkIJChcTqlFrXDW3tjt
) ; key id = 34525
;; RRSIG of the DNSKEYset:
. 153223 IN RRSIG DNSKEY 8 0 172800
20110614235959 (
20110531000000 19036 .
JcMmvixp872aO2svusRIBLc7diH3ECGPBKBYaO0jiFQB
6xJiMmrYpti+yk8u1Uwoo53HZusF+FRn5pMNu9B2j1fv
OMPU2o/GrDMk7oy4/iNnRszoHO1CWhjBL7CwdxCsq3dB
vFlwtLy3mdy6FaHro9AjwhxZfHJ/ot36VjLkjLHIAYqs
8iRAyABE9t33xe0tuwqX4XZet/1dL8eXb6Cm+9hPtssk
iVI4pvTv2vE5MFOOnNYk7SfDFOZwHtTtdWQrMfHPbRiU
8XMsK0OaUPq1D+i1eIcunbb9EL4mmexd7NcdzEJQcrS1
UtJ8OLoaMByCYO7f2d8wq98fR8hGhDnYjg==
)
;; Ok, find a Trusted Key in the DNSKEY RRset: 19036
;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success
;; We are in a Grand Father Problem: See 2.2.1 in RFC 3568
;; and we try to continue chain of trust validation of the zone:
de.
Launch a query to find a RRset of type NS for zone: de.
;; DNSKEYset:
. 153223 IN DNSKEY 257 3 8 (
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
) ; key id = 19036
153223 IN DNSKEY 256 3 8 (
AwEAAcaGQEA+OJmOzfzVfoYN249JId7gx+OZMbxy69Hf
UyuGBbRN0+HuTOpBxxBCkNOL+EJB9qJxt+0FEY6ZUVjE
g58sRr4ZQ6Iu6b1xTBKgc193zUARk4mmQ/PPGxn7Cn5V
EGJ/1h6dNaiXuRHwR+7oWh7DnzkIJChcTqlFrXDW3tjt
) ; key id = 34525
;; RRSIG of the DNSKEYset:
. 153223 IN RRSIG DNSKEY 8 0 172800
20110614235959 (
20110531000000 19036 .
JcMmvixp872aO2svusRIBLc7diH3ECGPBKBYaO0jiFQB
6xJiMmrYpti+yk8u1Uwoo53HZusF+FRn5pMNu9B2j1fv
OMPU2o/GrDMk7oy4/iNnRszoHO1CWhjBL7CwdxCsq3dB
vFlwtLy3mdy6FaHro9AjwhxZfHJ/ot36VjLkjLHIAYqs
8iRAyABE9t33xe0tuwqX4XZet/1dL8eXb6Cm+9hPtssk
iVI4pvTv2vE5MFOOnNYk7SfDFOZwHtTtdWQrMfHPbRiU
8XMsK0OaUPq1D+i1eIcunbb9EL4mmexd7NcdzEJQcrS1
UtJ8OLoaMByCYO7f2d8wq98fR8hGhDnYjg==
)
Launch a query to find a RRset of type DS for zone: de.
;; DNSKEYset:
. 153223 IN DNSKEY 257 3 8 (
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
) ; key id = 19036
153223 IN DNSKEY 256 3 8 (
AwEAAcaGQEA+OJmOzfzVfoYN249JId7gx+OZMbxy69Hf
UyuGBbRN0+HuTOpBxxBCkNOL+EJB9qJxt+0FEY6ZUVjE
g58sRr4ZQ6Iu6b1xTBKgc193zUARk4mmQ/PPGxn7Cn5V
EGJ/1h6dNaiXuRHwR+7oWh7DnzkIJChcTqlFrXDW3tjt
) ; key id = 34525
;; RRSIG of the DNSKEYset:
. 153223 IN RRSIG DNSKEY 8 0 172800
20110614235959 (
20110531000000 19036 .
JcMmvixp872aO2svusRIBLc7diH3ECGPBKBYaO0jiFQB
6xJiMmrYpti+yk8u1Uwoo53HZusF+FRn5pMNu9B2j1fv
OMPU2o/GrDMk7oy4/iNnRszoHO1CWhjBL7CwdxCsq3dB
vFlwtLy3mdy6FaHro9AjwhxZfHJ/ot36VjLkjLHIAYqs
8iRAyABE9t33xe0tuwqX4XZet/1dL8eXb6Cm+9hPtssk
iVI4pvTv2vE5MFOOnNYk7SfDFOZwHtTtdWQrMfHPbRiU
8XMsK0OaUPq1D+i1eIcunbb9EL4mmexd7NcdzEJQcrS1
UtJ8OLoaMByCYO7f2d8wq98fR8hGhDnYjg==
)
;; DSset:
de. 66848 IN DS 24220 8 2 (
FFE926ACA67ED94089390250F1F294AC84A6D84F9121
DF73A79E439F42E820C2 )
;; RRSIGset of DSset
de. 66848 IN RRSIG DS 8 1 86400 20110615000000
(
20110607230000 34525 .
fpgK5CcqbR5uTu5n2nXUzj7XHZfSG8ktKRU+qd43kp5J
8hRESVVKS/YNXjb5qNF7U9fjApD+JJWTM3vT/xfUGIfu
gnDF/Z4GmCCnpgO5deVLLmNnyHnvY1sU8bEps1/fV0hx
C7j5POq3XWDQgB/cw6QmivmV90uIbp6liaVpfuw=
)
;; VERIFYING DS RRset for de. with DNSKEY:34525: success
Launch a query to find a RRset of type A for zone:
tech-nerds-dnssec.de with nameservers:
de. 85973 IN NS s.de.net.
85973 IN NS z.nic.de.
85973 IN NS f.nic.de.
85973 IN NS a.nic.de.
85973 IN NS l.de.net.
Launch a query to find a RRset of type DNSKEY for zone: de.
;; DNSKEYset:
de. 2468 IN DNSKEY 257 3 8 (
AwEAAYbcKo2IA8l6arSIiSC+l97v2vgNXrxjBJK+XkX5
FYMPDfr2QgtUMHfjLPfMKiSxEXT0uL+SucI1ohv5I0C/
pgz9e9NFDhMCpHLPA5s9LIzQMHEs7Y+idlsRnBKe9Kw/
B1RxzSZKxMd8UyAeA6j0vlZIKrokc1nr4ouvDhoYR3JD
d7vCcvV08EIuaPgL0ijUYk071OOjRFG+waRZnVPAwFZs
gDIgBJqDl/nRVRBI8k3YFVPka6Rls/EIDYloqG+X5VZC
/VXbBb7fams8misz3MsLeVy/fiH0j8SJMAZSbQxqo+/z
WUJogl4Tyb5TbT1LRTfbyxII2zQ/ATXocWOohSU=
) ; key id = 24220
2468 IN DNSKEY 256 3 8 (
AwEAAYjRbUmLGRM0PJrRVHGO0JhbgTNXQEEfLXbyIqac
i3l4cWyJEYIYFIRwNjFHjF/KvIcUwD+p0/M/QUHuFK96
/1w25/Hvo6BXSNtp7EWSOcXCAGB01OFwrBgzIt1IlYZa
t5+Gmwow13c9YlnF5xj9jl5df1fBuIaU5Y0Tz9eetAxt
) ; key id = 55686
;; RRSIG of the DNSKEYset:
de. 2468 IN RRSIG DNSKEY 8 1 7200
20110623120000 (
20110602120000 24220 de.
NB/RwoJBN8tSJAVsje1+mjZydgY1/mx2SlKOjxCLcCCC
657zW8WEfoemtOfAU/YqPgmljRhX3G4Yg++xAgUsEvL3
ed3H154P7YKIqznMfzqCDK12w2JdoJj3XCqBjj/IHUcu
hesL/dtGap/zJbCvhn+CAPhQLyDqon3PJ0V3TgzSx9oe
a1EQ7/2rKJEBsSnu1lLA0a4onF9I5QpoMF8vW6DhSwVs
jzmGvIEvGSYsrUYlhBHe59TiAN556G8ietK1VxRsFEXb
OXPFe7mLrN0N1oi9rnjo2JsktBDmWCZBnBPMdTNRxAFD
EtAdqpfcrpsbIGgvaxN3WkWWOmVLHlp9Kg==
)
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for de. with DNSKEY:24220: success
;; We are in a Grand Father Problem: See 2.2.1 in RFC 3568
;; ERROR : tech-nerds-dnssec.de. is not a subdomain of: de. FAILED
name.c:2144: REQUIRE(source->length > 0) failed, back trace
#0 0x7f0ba360a9d6 in ??
#1 0x7f0ba360a93a in ??
#2 0x7f0ba49ea70d in ??
#3 0x7f0ba514c991 in ??
#4 0x7f0ba5150ad7 in ??
#5 0x7f0ba5152b78 in ??
#6 0x7f0ba36287a8 in ??
#7 0x7f0ba31e1b40 in ??
#8 0x7f0ba2bd028d in ??
Abgebrochen
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (900, 'testing'), (500, 'stable-updates'), (500,
'proposed-updates'), (500, 'stable'), (10, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages dnsutils depends on:
ii bind9-host [host] 1:9.7.3.dfsg-1+b1 Version of 'host' bundled with BIN
ii libbind9-60 1:9.7.3.dfsg-1+b1 BIND9 Shared Library used by BIND
ii libc6 2.13-4 Embedded GNU C Library: Shared lib
ii libcap2 1:2.21-1 support for getting/setting POSIX.
ii libcomerr2 1.41.12-4 common error description library
ii libdns69 1:9.7.3.dfsg-1+b1 DNS Shared Library used by BIND
ii libgssapi-krb5-2 1.9+dfsg-1+b1 MIT Kerberos runtime libraries - k
ii libisc62 1:9.7.3.dfsg-1+b1 ISC Shared Library used by BIND
ii libisccfg62 1:9.7.3.dfsg-1+b1 Config File Handling Library used
ii libk5crypto3 1.9+dfsg-1+b1 MIT Kerberos runtime libraries - C
ii libkrb5-3 1.9+dfsg-1+b1 MIT Kerberos runtime libraries
ii liblwres60 1:9.7.3.dfsg-1+b1 Lightweight Resolver Library used
ii libssl1.0.0 1.0.0d-2 SSL shared libraries
ii libxml2 2.7.8.dfsg-3 GNOME XML library
dnsutils recommends no packages.
Versions of packages dnsutils suggests:
pn rblcheck <none> (no description available)
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
