Casey Deccio <casey <at> deccio.net> writes: > > On Tue, Nov 9, 2010 at 8:10 PM, Brian J. Murrell <brian <at> interlinx.bc.ca> wrote: > > $ dig @linux -p 1053 41.70.55.206.sa-trusted.bondedsender.org txt
Doh! I forgot the +dnssec. > What happens when you run the following queries: > > dig +dnssec @linux -p 1053 org SOA > > Do you get a NOERROR response with the AD bit set? Yup: $ dig +dnssec @linux -p 1053 org SOA ; <<>> DiG 9.7.1-P2 <<>> +dnssec @linux -p 1053 org SOA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44657 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;org. IN SOA ;; ANSWER SECTION: org. 670 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info. 2009390492 1800 900 604800 86400 org. 670 IN RRSIG SOA 7 1 900 20101124135902 20101110125902 61598 org. cqufQ6aorG5AeM7mFR/lwm9TnLwdK9PjTH36lEo4fYBk5jH+sgLM17rG wZD6c4/ZZHuT4ZvcQMa6pR1CgEtBLq1YAIT5zl0ncWs2pbyS2BFr35k5 B9thalfcHAGXFATzCFcVzQTVBSFy5QDPMuHpz2LTvaFc0xiE6sGqF+Fr Q14= ;; AUTHORITY SECTION: org. 86175 IN NS a2.org.afilias-nst.info. org. 86175 IN NS b0.org.afilias-nst.org. org. 86175 IN NS a0.org.afilias-nst.info. org. 86175 IN NS d0.org.afilias-nst.org. org. 86175 IN NS c0.org.afilias-nst.info. org. 86175 IN NS b2.org.afilias-nst.org. org. 86175 IN RRSIG NS 7 1 86400 20101123154737 20101109144737 61598 org. KncVCF0Fbp56Cf7xW376cEuGnNL/G19WM0GfXhWwWHuWKn2HDjx7OJMi a0OYeoo/KlUn0pO0ORgT96vurhOkweEfdZXnpdPRRHBStfmpFZYD9wxG FiyGounAQuso/EWSZhmwHXsFieElBQ8+J8sKY+EDo4K92uCZ5QtQAI6S 7m8= ;; Query time: 2 msec ;; SERVER: 10.75.22.3#1053(10.75.22.3) ;; WHEN: Wed Nov 10 09:02:03 2010 ;; MSG SIZE rcvd: 536 > dig +dnssec @linux -p 1053 bondedsender.org DS > > Do you get a NOERROR response with AD bit No AD bit set, however... > set and NSEC3 RRs and their > covering RRSIGs? I do get NSEC3 and RRSIG RRs: ; <<>> DiG 9.7.1-P2 <<>> +dnssec @linux -p 1053 bondedsender.org DS ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18923 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;bondedsender.org. IN DS ;; AUTHORITY SECTION: org. 590 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info. 2009390497 1800 900 604800 86400 org. 590 IN RRSIG SOA 7 1 900 20101124140403 20101110130403 61598 org. C92vKu2HbiWyt+hgBJD5Arj4egcuL197n0AQWgnKPMQ+XdG90tGG0/5h 81dQZI/xKQQsoTA5I4oKa9qspxXqC1T1Ej7bBzFqnSrgVDpv1fI/GvIt UWbxYL888sn9XE/IP/tHWsbY6aIoSsheYTdJP0oOuunVMkF+i4c25c0v 9Yo= h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 590 IN RRSIG NSEC3 7 2 86400 20101124140403 20101110130403 61598 org. qUeV9GSkAD4cY9ftHxclrhrX9tzzZmUJSDXgDab78x8DoBFZ9LNKg+jG Yvqqbk0CqOxAJKE7CGDV6WzcsBQJCdM1+3r3+L660i6jIgubxMwGpWc0 C/GXRhtYZXOuAHpVI0gHPCSoQzLqYU+QxxBepgOUUxSnLS4Zx7tftpqI zAg= h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 590 IN NSEC3 1 1 1 D399EAAB H9PLJ7JCGLSRA48965QFJNJ3D0HC4FP5 NS SOA RRSIG DNSKEY NSEC3PARAM t2ei86koq1j2hk8c8m677mgc115vgvu8.org. 590 IN RRSIG NSEC3 7 2 86400 20101124010350 20101110000350 61598 org. MLy2iRpF6yKCUfcb0zxow1Dn6ky7BaZQrMZCHsfbFOsV7p5fI13JQJ2r ihceyFt5G3VcJrnzm5E51YVlKKFEJmHIwaTUdHDTcBznqzOk+s3xm1iC o3cBgrMMEOOQwsX7sVMHLg9NuQ395lq2GZtOrvYZWAEpCU9dOmqcSbFO 2+M= t2ei86koq1j2hk8c8m677mgc115vgvu8.org. 590 IN NSEC3 1 1 1 D399EAAB T2GH7ROARI9U6G24CR9QK4J52L88HKPV ;; Query time: 3993 msec ;; SERVER: 10.75.22.3#1053(10.75.22.3) ;; WHEN: Wed Nov 10 09:03:23 2010 ;; MSG SIZE rcvd: 756 The above produced the following in the bind debug log [ sorry for all the line wrapping. Stupid gmane enforces that ]: dnssec: validating @0x20fc49b0: bondedsender.org DS: starting dnssec: validating @0x20fc49b0: bondedsender.org DS: attempting negative response validation dnssec: validating @0x20fc49b0: bondedsender.org DS: nsecvalidate: creating validator for org SOA dnssec: validating @0x20fc7b98: org SOA: starting dnssec: validating @0x20fc7b98: org SOA: attempting positive response validation dnssec: validating @0x20fc7b98: org SOA: keyset with trust 8 dnssec: validating @0x20fc7b98: org SOA: verify rdataset (keyid=61598): success dnssec: validating @0x20fc7b98: org SOA: marking as secure, noqname proof not needed dnssec: validator @0x20fc7b98: dns_validator_destroy dnssec: validating @0x20fc49b0: bondedsender.org DS: in authvalidated dnssec: validating @0x20fc49b0: bondedsender.org DS: resuming nsecvalidate dnssec: validating @0x20fc49b0: bondedsender.org DS: nsecvalidate: creating validator for h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org NSEC3 dnssec: validating @0x20fc7b98: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org NSEC3: starting dnssec: validating @0x20fc7b98: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org NSEC3: attempting positive response validation dnssec: validating @0x20fc7b98: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org NSEC3: keyset with trust 8 dnssec: validating @0x20fc7b98: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org NSEC3: verify rdataset (keyid=61598): success dnssec: validating @0x20fc7b98: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org NSEC3: marking as secure, noqname proof not needed dnssec: validator @0x20fc7b98: dns_validator_destroy dnssec: validating @0x20fc49b0: bondedsender.org DS: in authvalidated dnssec: validating @0x20fc49b0: bondedsender.org DS: resuming nsecvalidate dnssec: validating @0x20fc49b0: bondedsender.org DS: nsecvalidate: creating validator for t2ei86koq1j2hk8c8m677mgc115vgvu8.org NSEC3 dnssec: validating @0x20fc7b98: t2ei86koq1j2hk8c8m677mgc115vgvu8.org NSEC3: starting dnssec: validating @0x20fc7b98: t2ei86koq1j2hk8c8m677mgc115vgvu8.org NSEC3: attempting positive response validation dnssec: validating @0x20fc7b98: t2ei86koq1j2hk8c8m677mgc115vgvu8.org NSEC3: keyset with trust 8 dnssec: validating @0x20fc7b98: t2ei86koq1j2hk8c8m677mgc115vgvu8.org NSEC3: verify rdataset (keyid=61598): success dnssec: validating @0x20fc7b98: t2ei86koq1j2hk8c8m677mgc115vgvu8.org NSEC3: marking as secure, noqname proof not needed dnssec: validator @0x20fc7b98: dns_validator_destroy dnssec: validating @0x20fc49b0: bondedsender.org DS: in authvalidated dnssec: validating @0x20fc49b0: bondedsender.org DS: resuming nsecvalidate dnssec: validating @0x20fc49b0: bondedsender.org DS: looking for relevant NSEC3 dnssec: validating @0x20fc49b0: bondedsender.org DS: looking for relevant NSEC3 dnssec: validating @0x20fc49b0: bondedsender.org DS: looking for relevant NSEC3 dnssec: validating @0x20fc49b0: bondedsender.org DS: NSEC3 indicates potential closest encloser: 'org' dnssec: validating @0x20fc49b0: bondedsender.org DS: NSEC3 at super-domain org dnssec: validating @0x20fc49b0: bondedsender.org DS: looking for relevant NSEC3 dnssec: validating @0x20fc49b0: bondedsender.org DS: NSEC3 proves name does not exist: 'bondedsender.org' dnssec: validating @0x20fc49b0: bondedsender.org DS: NSEC3 indicates optout dnssec: validating @0x20fc49b0: bondedsender.org DS: in checkwildcard: *.org dnssec: validating @0x20fc49b0: bondedsender.org DS: looking for relevant NSEC3 dnssec: validating @0x20fc49b0: bondedsender.org DS: NSEC3 at super-domain org dnssec: validating @0x20fc49b0: bondedsender.org DS: looking for relevant NSEC3 dnssec: validating @0x20fc49b0: bondedsender.org DS: in checkwildcard: *.org dnssec: validating @0x20fc49b0: bondedsender.org DS: nonexistence proof(s) found dnssec: validator @0x20fc49b0: dns_validator_destroy dnssec: validating @0x20fc49b0: 94.114.201.117.in-addr.arpa PTR: starting dnssec: validating @0x20fc49b0: 94.114.201.117.in-addr.arpa PTR: attempting negative response validation dnssec: validating @0x20fc49b0: 94.114.201.117.in-addr.arpa PTR: nsecvalidate: creating validator for 117.in-addr.arpa SOA dnssec: validating @0x20fc7b98: 117.in-addr.arpa SOA: starting dnssec: validating @0x20fc7b98: 117.in-addr.arpa SOA: attempting positive response validation dnssec: validating @0x20fc7b98: 117.in-addr.arpa SOA: get_key: creating fetch for 117.in-addr.arpa DNSKEY dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: starting dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: looking for DLV dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: plain DNSSEC returns unsecure (.): looking for DLV dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: looking for DLV 117.in- addr.arpa.dlv.isc.org dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: DNS_R_COVERINGNSEC dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: covering nsec: not in range dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: finddlvsep: creating fetch for 117.in-addr.arpa.dlv.isc.org DLV dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: DLV lookup: wait dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: starting dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: attempting negative response validation dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: nsecvalidate: creating validator for dlv.isc.org SOA dnssec: validating @0x21472f58: dlv.isc.org SOA: starting dnssec: validating @0x21472f58: dlv.isc.org SOA: attempting positive response validation dnssec: validating @0x21472f58: dlv.isc.org SOA: keyset with trust 8 dnssec: validating @0x21472f58: dlv.isc.org SOA: verify rdataset (keyid=64263): success dnssec: validating @0x21472f58: dlv.isc.org SOA: marking as secure, noqname proof not needed dnssec: validator @0x21472f58: dns_validator_destroy dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: in authvalidated dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: resuming nsecvalidate dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: nsecvalidate: creating validator for 6.12.174.109.in-addr.arpa.dlv.isc.org NSEC dnssec: validating @0x21472f58: 6.12.174.109.in-addr.arpa.dlv.isc.org NSEC: starting dnssec: validating @0x21472f58: 6.12.174.109.in-addr.arpa.dlv.isc.org NSEC: attempting positive response validation dnssec: validating @0x21472f58: 6.12.174.109.in-addr.arpa.dlv.isc.org NSEC: keyset with trust 8 dnssec: validating @0x21472f58: 6.12.174.109.in-addr.arpa.dlv.isc.org NSEC: verify rdataset (keyid=64263): success dnssec: validating @0x21472f58: 6.12.174.109.in-addr.arpa.dlv.isc.org NSEC: marking as secure, noqname proof not needed dnssec: validator @0x21472f58: dns_validator_destroy dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: in authvalidated dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: looking for relevant nsec dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: nsec range ok dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: resuming nsecvalidate dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: nsecvalidate: creating validator for 0.3.0.2.9.2.3.1.2.7.9.4.e164.arpa.dlv.isc.org NSEC dnssec: validating @0x21471f50: 0.3.0.2.9.2.3.1.2.7.9.4.e164.arpa.dlv.isc.org NSEC: starting dnssec: validating @0x21471f50: 0.3.0.2.9.2.3.1.2.7.9.4.e164.arpa.dlv.isc.org NSEC: attempting positive response validation dnssec: validating @0x21471f50: 0.3.0.2.9.2.3.1.2.7.9.4.e164.arpa.dlv.isc.org NSEC: keyset with trust 8 dnssec: validating @0x21471f50: 0.3.0.2.9.2.3.1.2.7.9.4.e164.arpa.dlv.isc.org NSEC: verify rdataset (keyid=64263): success dnssec: validating @0x21471f50: 0.3.0.2.9.2.3.1.2.7.9.4.e164.arpa.dlv.isc.org NSEC: marking as secure, noqname proof not needed dnssec: validator @0x21471f50: dns_validator_destroy dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: in authvalidated dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: resuming nsecvalidate dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: in checkwildcard: *.in-addr.arpa.dlv.isc.org dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: looking for relevant nsec dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: NSEC does not cover name, before NSEC dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: looking for relevant nsec dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: nsec range ok dnssec: validating @0x2146b048: 117.in-addr.arpa.dlv.isc.org DLV: nonexistence proof(s) found dnssec: validator @0x2146b048: dns_validator_destroy dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: in dlvfetched: ncache nxdomain dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: looking for DLV in- addr.arpa.dlv.isc.org dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: looking for DLV arpa.dlv.isc.org dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: DLV arpa found dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: dlv_validator_start dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: restarting using DLV dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: attempting positive response validation dnssec: validating @0x214348b0: 117.in-addr.arpa DNSKEY: validatezonekey: creating fetch for 117.in-addr.arpa DS b. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users