Package: dnsutils Version: 1:9.7.3.dfsg-1+b1 Severity: minor
When trying to validate a DNSSEC domain, dig reports a "Grand Father Problem", and points to section 2.2.1 of this RFC for explanation. There is no such section, maybe it is 2.3.1? The crash afterwards has been reported already as an expansion to bug #596334. mbelow@ossietzky:~/tmp$ dig +topdown +sigchase +trusted-key=./root.keys +multiline -ta tech-nerds-dnssec.de Launch a query to find a RRset of type A for zone: tech-nerds-dnssec.de with nameservers: . 66815 IN NS a.root-servers.net. 66815 IN NS b.root-servers.net. 66815 IN NS c.root-servers.net. 66815 IN NS d.root-servers.net. 66815 IN NS e.root-servers.net. 66815 IN NS f.root-servers.net. 66815 IN NS g.root-servers.net. 66815 IN NS h.root-servers.net. 66815 IN NS i.root-servers.net. 66815 IN NS j.root-servers.net. 66815 IN NS k.root-servers.net. 66815 IN NS l.root-servers.net. 66815 IN NS m.root-servers.net. Launch a query to find a RRset of type DNSKEY for zone: . ;; DNSKEYset: . 153223 IN DNSKEY 257 3 8 ( AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ) ; key id = 19036 153223 IN DNSKEY 256 3 8 ( AwEAAcaGQEA+OJmOzfzVfoYN249JId7gx+OZMbxy69Hf UyuGBbRN0+HuTOpBxxBCkNOL+EJB9qJxt+0FEY6ZUVjE g58sRr4ZQ6Iu6b1xTBKgc193zUARk4mmQ/PPGxn7Cn5V EGJ/1h6dNaiXuRHwR+7oWh7DnzkIJChcTqlFrXDW3tjt ) ; key id = 34525 ;; RRSIG of the DNSKEYset: . 153223 IN RRSIG DNSKEY 8 0 172800 20110614235959 ( 20110531000000 19036 . JcMmvixp872aO2svusRIBLc7diH3ECGPBKBYaO0jiFQB 6xJiMmrYpti+yk8u1Uwoo53HZusF+FRn5pMNu9B2j1fv OMPU2o/GrDMk7oy4/iNnRszoHO1CWhjBL7CwdxCsq3dB vFlwtLy3mdy6FaHro9AjwhxZfHJ/ot36VjLkjLHIAYqs 8iRAyABE9t33xe0tuwqX4XZet/1dL8eXb6Cm+9hPtssk iVI4pvTv2vE5MFOOnNYk7SfDFOZwHtTtdWQrMfHPbRiU 8XMsK0OaUPq1D+i1eIcunbb9EL4mmexd7NcdzEJQcrS1 UtJ8OLoaMByCYO7f2d8wq98fR8hGhDnYjg== ) ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036 ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success ;; We are in a Grand Father Problem: See 2.2.1 in RFC 3568 ;; and we try to continue chain of trust validation of the zone: de. Launch a query to find a RRset of type NS for zone: de. ;; DNSKEYset: . 153223 IN DNSKEY 257 3 8 ( AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ) ; key id = 19036 153223 IN DNSKEY 256 3 8 ( AwEAAcaGQEA+OJmOzfzVfoYN249JId7gx+OZMbxy69Hf UyuGBbRN0+HuTOpBxxBCkNOL+EJB9qJxt+0FEY6ZUVjE g58sRr4ZQ6Iu6b1xTBKgc193zUARk4mmQ/PPGxn7Cn5V EGJ/1h6dNaiXuRHwR+7oWh7DnzkIJChcTqlFrXDW3tjt ) ; key id = 34525 ;; RRSIG of the DNSKEYset: . 153223 IN RRSIG DNSKEY 8 0 172800 20110614235959 ( 20110531000000 19036 . JcMmvixp872aO2svusRIBLc7diH3ECGPBKBYaO0jiFQB 6xJiMmrYpti+yk8u1Uwoo53HZusF+FRn5pMNu9B2j1fv OMPU2o/GrDMk7oy4/iNnRszoHO1CWhjBL7CwdxCsq3dB vFlwtLy3mdy6FaHro9AjwhxZfHJ/ot36VjLkjLHIAYqs 8iRAyABE9t33xe0tuwqX4XZet/1dL8eXb6Cm+9hPtssk iVI4pvTv2vE5MFOOnNYk7SfDFOZwHtTtdWQrMfHPbRiU 8XMsK0OaUPq1D+i1eIcunbb9EL4mmexd7NcdzEJQcrS1 UtJ8OLoaMByCYO7f2d8wq98fR8hGhDnYjg== ) Launch a query to find a RRset of type DS for zone: de. ;; DNSKEYset: . 153223 IN DNSKEY 257 3 8 ( AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ) ; key id = 19036 153223 IN DNSKEY 256 3 8 ( AwEAAcaGQEA+OJmOzfzVfoYN249JId7gx+OZMbxy69Hf UyuGBbRN0+HuTOpBxxBCkNOL+EJB9qJxt+0FEY6ZUVjE g58sRr4ZQ6Iu6b1xTBKgc193zUARk4mmQ/PPGxn7Cn5V EGJ/1h6dNaiXuRHwR+7oWh7DnzkIJChcTqlFrXDW3tjt ) ; key id = 34525 ;; RRSIG of the DNSKEYset: . 153223 IN RRSIG DNSKEY 8 0 172800 20110614235959 ( 20110531000000 19036 . JcMmvixp872aO2svusRIBLc7diH3ECGPBKBYaO0jiFQB 6xJiMmrYpti+yk8u1Uwoo53HZusF+FRn5pMNu9B2j1fv OMPU2o/GrDMk7oy4/iNnRszoHO1CWhjBL7CwdxCsq3dB vFlwtLy3mdy6FaHro9AjwhxZfHJ/ot36VjLkjLHIAYqs 8iRAyABE9t33xe0tuwqX4XZet/1dL8eXb6Cm+9hPtssk iVI4pvTv2vE5MFOOnNYk7SfDFOZwHtTtdWQrMfHPbRiU 8XMsK0OaUPq1D+i1eIcunbb9EL4mmexd7NcdzEJQcrS1 UtJ8OLoaMByCYO7f2d8wq98fR8hGhDnYjg== ) ;; DSset: de. 66848 IN DS 24220 8 2 ( FFE926ACA67ED94089390250F1F294AC84A6D84F9121 DF73A79E439F42E820C2 ) ;; RRSIGset of DSset de. 66848 IN RRSIG DS 8 1 86400 20110615000000 ( 20110607230000 34525 . fpgK5CcqbR5uTu5n2nXUzj7XHZfSG8ktKRU+qd43kp5J 8hRESVVKS/YNXjb5qNF7U9fjApD+JJWTM3vT/xfUGIfu gnDF/Z4GmCCnpgO5deVLLmNnyHnvY1sU8bEps1/fV0hx C7j5POq3XWDQgB/cw6QmivmV90uIbp6liaVpfuw= ) ;; VERIFYING DS RRset for de. with DNSKEY:34525: success Launch a query to find a RRset of type A for zone: tech-nerds-dnssec.de with nameservers: de. 85973 IN NS s.de.net. 85973 IN NS z.nic.de. 85973 IN NS f.nic.de. 85973 IN NS a.nic.de. 85973 IN NS l.de.net. Launch a query to find a RRset of type DNSKEY for zone: de. ;; DNSKEYset: de. 2468 IN DNSKEY 257 3 8 ( AwEAAYbcKo2IA8l6arSIiSC+l97v2vgNXrxjBJK+XkX5 FYMPDfr2QgtUMHfjLPfMKiSxEXT0uL+SucI1ohv5I0C/ pgz9e9NFDhMCpHLPA5s9LIzQMHEs7Y+idlsRnBKe9Kw/ B1RxzSZKxMd8UyAeA6j0vlZIKrokc1nr4ouvDhoYR3JD d7vCcvV08EIuaPgL0ijUYk071OOjRFG+waRZnVPAwFZs gDIgBJqDl/nRVRBI8k3YFVPka6Rls/EIDYloqG+X5VZC /VXbBb7fams8misz3MsLeVy/fiH0j8SJMAZSbQxqo+/z WUJogl4Tyb5TbT1LRTfbyxII2zQ/ATXocWOohSU= ) ; key id = 24220 2468 IN DNSKEY 256 3 8 ( AwEAAYjRbUmLGRM0PJrRVHGO0JhbgTNXQEEfLXbyIqac i3l4cWyJEYIYFIRwNjFHjF/KvIcUwD+p0/M/QUHuFK96 /1w25/Hvo6BXSNtp7EWSOcXCAGB01OFwrBgzIt1IlYZa t5+Gmwow13c9YlnF5xj9jl5df1fBuIaU5Y0Tz9eetAxt ) ; key id = 55686 ;; RRSIG of the DNSKEYset: de. 2468 IN RRSIG DNSKEY 8 1 7200 20110623120000 ( 20110602120000 24220 de. NB/RwoJBN8tSJAVsje1+mjZydgY1/mx2SlKOjxCLcCCC 657zW8WEfoemtOfAU/YqPgmljRhX3G4Yg++xAgUsEvL3 ed3H154P7YKIqznMfzqCDK12w2JdoJj3XCqBjj/IHUcu hesL/dtGap/zJbCvhn+CAPhQLyDqon3PJ0V3TgzSx9oe a1EQ7/2rKJEBsSnu1lLA0a4onF9I5QpoMF8vW6DhSwVs jzmGvIEvGSYsrUYlhBHe59TiAN556G8ietK1VxRsFEXb OXPFe7mLrN0N1oi9rnjo2JsktBDmWCZBnBPMdTNRxAFD EtAdqpfcrpsbIGgvaxN3WkWWOmVLHlp9Kg== ) ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for de. with DNSKEY:24220: success ;; We are in a Grand Father Problem: See 2.2.1 in RFC 3568 ;; ERROR : tech-nerds-dnssec.de. is not a subdomain of: de. FAILED name.c:2144: REQUIRE(source->length > 0) failed, back trace #0 0x7f0ba360a9d6 in ?? #1 0x7f0ba360a93a in ?? #2 0x7f0ba49ea70d in ?? #3 0x7f0ba514c991 in ?? #4 0x7f0ba5150ad7 in ?? #5 0x7f0ba5152b78 in ?? #6 0x7f0ba36287a8 in ?? #7 0x7f0ba31e1b40 in ?? #8 0x7f0ba2bd028d in ?? Abgebrochen -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (900, 'testing'), (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable'), (10, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages dnsutils depends on: ii bind9-host [host] 1:9.7.3.dfsg-1+b1 Version of 'host' bundled with BIN ii libbind9-60 1:9.7.3.dfsg-1+b1 BIND9 Shared Library used by BIND ii libc6 2.13-4 Embedded GNU C Library: Shared lib ii libcap2 1:2.21-1 support for getting/setting POSIX. ii libcomerr2 1.41.12-4 common error description library ii libdns69 1:9.7.3.dfsg-1+b1 DNS Shared Library used by BIND ii libgssapi-krb5-2 1.9+dfsg-1+b1 MIT Kerberos runtime libraries - k ii libisc62 1:9.7.3.dfsg-1+b1 ISC Shared Library used by BIND ii libisccfg62 1:9.7.3.dfsg-1+b1 Config File Handling Library used ii libk5crypto3 1.9+dfsg-1+b1 MIT Kerberos runtime libraries - C ii libkrb5-3 1.9+dfsg-1+b1 MIT Kerberos runtime libraries ii liblwres60 1:9.7.3.dfsg-1+b1 Lightweight Resolver Library used ii libssl1.0.0 1.0.0d-2 SSL shared libraries ii libxml2 2.7.8.dfsg-3 GNOME XML library dnsutils recommends no packages. Versions of packages dnsutils suggests: pn rblcheck <none> (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org