In message <[email protected]>, Viktor Dukhovni write
s:
> On Tue, Apr 08, 2014 at 10:19:33AM -0700, Wes Hardaker wrote:
>
> > Petr Spacek <[email protected]> writes:
> >
> > > It seems that almost everyone agree that local validating resolver is the
> > > best option.
> >
> > I failed to pipe up before, unfortunately.
> >
> > But, no I don't agree that's the best solution. The reality is that in
> > some cases we're making *security decisions* based on the results of a
> > flag that we're not 100% sure of the source. Without doing something
> > like replacing the system library's notion of even looking at
> > resolv.conf and only looking for 127.0.0.1, then you can't be 100% sure
> > that the bit you get back is actually trustable. If the default install
> > of the OS does the right thing, who's to say it'll stay that way.
>
> This is where Wes and I part ways somewhat, but fortunately, this
> issue is not an impediment to the SMTP DANE draft.
>
> > As an application author who might want absolute assurance that DNSSEC
> > was done (because I'm bootstrapping TLS or SSH or ... off of it), then
> > my ideal situation is to have a local resolver for caching purposes, but
> > to actually do validation in-application.
>
> For me doing it in application, means costly integration of complex
> code into the application that will add considerable latency because
> the application will have a cold DNSSEC cache (and will now need
> a cache where one was not needed before... The Plan-9 approach of
> moving security features into system services is I think far
> preferable.
What latency? This is the output of delve (see BIND 9.10) which
is a is standalone stub validator talking to a local validating resolver
doing a full validation from the root. This uses exactly the same
code that named uses to validate its answers. The only difference
is a slightly different cache implementation is used.
28.321 - 28.298 = 00.023
from start to finish.
The only change I made was to make the logging print out timestamps.
09-Apr-2014 09:41:28.298 ;; res 0x11076f000: create
09-Apr-2014 09:41:28.300 ;; adb: task-exclusive mode unavailable, intializing
table sizes to 49193
09-Apr-2014 09:41:28.306 ;; dns_requestmgr_create
09-Apr-2014 09:41:28.306 ;; dns_requestmgr_create: 0x110774000
09-Apr-2014 09:41:28.306 ;; dns_requestmgr_whenshutdown
09-Apr-2014 09:41:28.307 ;; adding DLV trust anchor dlv.isc.org
09-Apr-2014 09:41:28.307 ;; adding trust anchor .
09-Apr-2014 09:41:28.307 ;; fetch: dv.isc.org/SOA
09-Apr-2014 09:41:28.307 ;; fctx 0x111529000(dv.isc.org/SOA): create
09-Apr-2014 09:41:28.307 ;; log_ns_ttl: fctx 0x111529000: fctx_create:
dv.isc.org (in '.'?): 0 0
09-Apr-2014 09:41:28.307 ;; fctx 0x111529000(dv.isc.org/SOA): join
09-Apr-2014 09:41:28.307 ;; fetch 0x11075a0a8 (fctx
0x111529000(dv.isc.org/SOA)): created
09-Apr-2014 09:41:28.307 ;; fctx 0x111529000(dv.isc.org/SOA): start
09-Apr-2014 09:41:28.307 ;; fctx 0x111529000(dv.isc.org/SOA): try
09-Apr-2014 09:41:28.307 ;; fctx 0x111529000(dv.isc.org/SOA): cancelqueries
09-Apr-2014 09:41:28.307 ;; fctx 0x111529000(dv.isc.org/SOA): getaddresses
09-Apr-2014 09:41:28.307 ;; fctx 0x111529000(dv.isc.org/SOA): query
09-Apr-2014 09:41:28.307 ;; resquery 0x11152f000 (fctx
0x111529000(dv.isc.org/SOA)): send
09-Apr-2014 09:41:28.307 ;; resquery 0x11152f000 (fctx
0x111529000(dv.isc.org/SOA)): sent
09-Apr-2014 09:41:28.307 ;; resquery 0x11152f000 (fctx
0x111529000(dv.isc.org/SOA)): senddone
09-Apr-2014 09:41:28.308 ;; resquery 0x11152f000 (fctx
0x111529000(dv.isc.org/SOA)): response
09-Apr-2014 09:41:28.308 ;; received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4409
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; SIT: 2d8cf3496b58375c57ed3b5b53448928f199cb69a8065b4d
;; QUESTION SECTION:
;dv.isc.org. IN SOA
;; ANSWER SECTION:
;Dv.isc.org. 3532 IN SOA bsdi.dv.isc.org. marka.isc.org.
(
; 2007111528 ; serial
; 86400 ; refresh (1 day)
; 21600 ; retry (6 hours)
; 2419200 ; expire (4 weeks)
; 86400 ; minimum (1 day)
; )
;Dv.isc.org. 3532 IN RRSIG SOA 5 3 3600 (
; 20140606234902 20140407224902
14436 dv.isc.org.
; i8fBym000/fiC3XrQ1B0spgppClO
; yQfdQiPq3p2228bSYR86NzxOqpUL
; 2YBya9120KctdiLBOpeUEIf285Tz
; xA== )
;; AUTHORITY SECTION:
;Dv.isc.org. 5842 IN NS bsdi1.dv.isc.org.
;Dv.isc.org. 5842 IN NS drugs.dv.isc.org.
;Dv.isc.org. 5842 IN RRSIG NS 5 3 86400 (
; 20140520164117 20140321164013
14436 dv.isc.org.
; uRGZe6K+C3wzVaOscR/+Cf1xwimw
; TuPim/lW/q/lzPzLx1B39IQXEc1Y
; Jl6zkARqafYXstPBDrLvHmV1x0FE
; jQ== )
09-Apr-2014 09:41:28.308 ;; fctx 0x111529000(dv.isc.org/SOA): answer_response
09-Apr-2014 09:41:28.308 ;; log_ns_ttl: fctx 0x111529000: answer_response:
dv.isc.org (in '.'?): 0 0
09-Apr-2014 09:41:28.308 ;; fctx 0x111529000(dv.isc.org/SOA): cache_message
09-Apr-2014 09:41:28.308 ;; decrement_reference: delete from rbt: 0x11077e078
Dv.isc.org
09-Apr-2014 09:41:28.308 ;; fctx 0x111529000(dv.isc.org/SOA): cancelquery
09-Apr-2014 09:41:28.308 ;; fctx 0x111529000(dv.isc.org/SOA): wait for validator
09-Apr-2014 09:41:28.308 ;; fctx 0x111529000(dv.isc.org/SOA): cancelqueries
09-Apr-2014 09:41:28.308 ;; validating Dv.isc.org/SOA: starting
09-Apr-2014 09:41:28.308 ;; validating Dv.isc.org/SOA: attempting positive
response validation
09-Apr-2014 09:41:28.308 ;; validating Dv.isc.org/SOA: get_key: creating fetch
for dv.isc.org DNSKEY
09-Apr-2014 09:41:28.308 ;; fetch: dv.isc.org/DNSKEY
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): create
09-Apr-2014 09:41:28.308 ;; log_ns_ttl: fctx 0x111529430: fctx_create:
dv.isc.org (in '.'?): 0 0
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): join
09-Apr-2014 09:41:28.308 ;; fetch 0x11075a120 (fctx
0x111529430(dv.isc.org/DNSKEY)): created
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): start
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): try
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): getaddresses
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): query
09-Apr-2014 09:41:28.308 ;; resquery 0x11152f000 (fctx
0x111529430(dv.isc.org/DNSKEY)): send
09-Apr-2014 09:41:28.308 ;; resquery 0x11152f000 (fctx
0x111529430(dv.isc.org/DNSKEY)): sent
09-Apr-2014 09:41:28.308 ;; resquery 0x11152f000 (fctx
0x111529430(dv.isc.org/DNSKEY)): senddone
09-Apr-2014 09:41:28.308 ;; resquery 0x11152f000 (fctx
0x111529430(dv.isc.org/DNSKEY)): response
09-Apr-2014 09:41:28.308 ;; received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17780
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; SIT: 2d8cf3496b58375c71d56ac853448928ef24558c8085c830
;; QUESTION SECTION:
;dv.isc.org. IN DNSKEY
;; ANSWER SECTION:
;Dv.isc.org. 5842 IN DNSKEY 257 3 5 (
; AwEAAbatyuBZQjJB6WnkeFMGIDNU
; UMHDSFOsvcjVarCYaN5c5lg56SAL
; PpvkbauGnt2S6coHqKG6o36hwoNm
; J4Qjc94FU9Bzsg60pyviSrnFJT3l
; 13W+jTEoXU3pRk9f4182ffL/aKdI
; wW0dDuMphPyjqaomSeBfjnojhD+Q
; Li144lOl
; ) ; KSK; alg = RSASHA1; key id
= 10288
;Dv.isc.org. 5842 IN DNSKEY 256 3 5 (
; AwEAAePX2qjqzu9uE79fDAwb99GH
; 1xnF6b+dsRqHOnmKldHWTb3KX2Yp
; WzuDKQZpISkakn0mf32FHp5iuu8H
; 5VOkcf0=
; ) ; ZSK; alg = RSASHA1; key id
= 14436
;Dv.isc.org. 5842 IN RRSIG DNSKEY 5 3 86400 (
; 20140520204428 20140321202107
10288 dv.isc.org.
; imsRQCYCmv6yf6viAO+lfp1bEKfK
; VKD1BmZEfrmE1cTaW9k8mEjgNmhM
; nt7XdZ1XQslygbl1VRl1hBntp/kA
; Rqwq3s+Hd84hIZjt2ThXji3uBWoE
; jmzuhqq3mJufle8CXUR68Jrp04Pd
; jSIeXVsYm8JIlVlnTWzXj505IGG7
; Uh0= )
;Dv.isc.org. 5842 IN RRSIG DNSKEY 5 3 86400 (
; 20140520204428 20140321202107
14436 dv.isc.org.
; axyw6FZGW+HlGLTQP8yhG+DHdefK
; 42nZCWX4Gv3sQtovUOkS0NaucJF1
; 65nZR4s5qWj+/yGVgjKw/zco7RLu
; pg== )
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): answer_response
09-Apr-2014 09:41:28.308 ;; log_ns_ttl: fctx 0x111529430: answer_response:
dv.isc.org (in '.'?): 0 0
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): cache_message
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): cancelquery
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): wait for
validator
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.308 ;; validating Dv.isc.org/DNSKEY: starting
09-Apr-2014 09:41:28.308 ;; validating Dv.isc.org/DNSKEY: attempting positive
response validation
09-Apr-2014 09:41:28.308 ;; validating Dv.isc.org/DNSKEY: validatezonekey:
creating fetch for Dv.isc.org DS
09-Apr-2014 09:41:28.308 ;; fetch: Dv.isc.org/DS
09-Apr-2014 09:41:28.308 ;; fctx 0x111529860(Dv.isc.org/DS): create
09-Apr-2014 09:41:28.308 ;; log_ns_ttl: fctx 0x111529860: fctx_create:
Dv.isc.org (in '.'?): 0 0
09-Apr-2014 09:41:28.308 ;; fctx 0x111529860(Dv.isc.org/DS): join
09-Apr-2014 09:41:28.308 ;; fetch 0x11075a138 (fctx
0x111529860(Dv.isc.org/DS)): created
09-Apr-2014 09:41:28.308 ;; fctx 0x111529860(Dv.isc.org/DS): start
09-Apr-2014 09:41:28.308 ;; fctx 0x111529860(Dv.isc.org/DS): try
09-Apr-2014 09:41:28.308 ;; fctx 0x111529860(Dv.isc.org/DS): cancelqueries
09-Apr-2014 09:41:28.309 ;; fctx 0x111529860(Dv.isc.org/DS): getaddresses
09-Apr-2014 09:41:28.309 ;; fctx 0x111529860(Dv.isc.org/DS): query
09-Apr-2014 09:41:28.309 ;; resquery 0x11152f000 (fctx
0x111529860(Dv.isc.org/DS)): send
09-Apr-2014 09:41:28.309 ;; resquery 0x11152f000 (fctx
0x111529860(Dv.isc.org/DS)): sent
09-Apr-2014 09:41:28.309 ;; resquery 0x11152f000 (fctx
0x111529860(Dv.isc.org/DS)): senddone
09-Apr-2014 09:41:28.309 ;; resquery 0x11152f000 (fctx
0x111529860(Dv.isc.org/DS)): response
09-Apr-2014 09:41:28.309 ;; received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16583
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; SIT: 2d8cf3496b58375c42f44fcf53448928f6f346b94566391e
;; QUESTION SECTION:
;Dv.isc.org. IN DS
;; ANSWER SECTION:
;Dv.isc.org. 6130 IN DS 10288 5 2 (
; 6D9CD532BC5E7EE6404EB019048F
; C9727A970854EF0375364F8F6ED5
; 4A8DA73B )
;Dv.isc.org. 6130 IN DS 10288 5 1 (
; 22F103696F795206A7373850444C
; 6F4DA61D0076 )
;Dv.isc.org. 6130 IN RRSIG DS 5 3 7200 (
; 20140507233241 20140407233241
4521 isc.org.
; pmz1rcVQRr3lbnBDp36ew3oz44gT
; GJgI4RvyyAapOyGP8Fa1flG5BKYQ
; Fo5G68OhMLVupXhys2mo9BQoEx/z
; ydbVkHuciBK3qKEvHUiq69e/iGuv
; dRjWopgv0uY8o0rSPabVpoa07I1P
; Hj8+682Ku9TGLmyNelpNuhz7bgq7
; GBE= )
09-Apr-2014 09:41:28.309 ;; fctx 0x111529860(Dv.isc.org/DS): answer_response
09-Apr-2014 09:41:28.309 ;; log_ns_ttl: fctx 0x111529860: answer_response:
Dv.isc.org (in '.'?): 0 0
09-Apr-2014 09:41:28.309 ;; fctx 0x111529860(Dv.isc.org/DS): cache_message
09-Apr-2014 09:41:28.309 ;; fctx 0x111529860(Dv.isc.org/DS): cancelquery
09-Apr-2014 09:41:28.309 ;; fctx 0x111529860(Dv.isc.org/DS): wait for validator
09-Apr-2014 09:41:28.309 ;; fctx 0x111529860(Dv.isc.org/DS): cancelqueries
09-Apr-2014 09:41:28.309 ;; validating Dv.isc.org/DS: starting
09-Apr-2014 09:41:28.309 ;; validating Dv.isc.org/DS: attempting positive
response validation
09-Apr-2014 09:41:28.309 ;; validating Dv.isc.org/DS: get_key: creating fetch
for isc.org DNSKEY
09-Apr-2014 09:41:28.309 ;; fetch: isc.org/DNSKEY
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): create
09-Apr-2014 09:41:28.309 ;; log_ns_ttl: fctx 0x111569000: fctx_create: isc.org
(in '.'?): 0 0
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): join
09-Apr-2014 09:41:28.309 ;; fetch 0x11075a150 (fctx
0x111569000(isc.org/DNSKEY)): created
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): start
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): try
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): getaddresses
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): query
09-Apr-2014 09:41:28.309 ;; resquery 0x11156f000 (fctx
0x111569000(isc.org/DNSKEY)): send
09-Apr-2014 09:41:28.309 ;; resquery 0x11156f000 (fctx
0x111569000(isc.org/DNSKEY)): sent
09-Apr-2014 09:41:28.309 ;; resquery 0x11156f000 (fctx
0x111569000(isc.org/DNSKEY)): senddone
09-Apr-2014 09:41:28.309 ;; resquery 0x11156f000 (fctx
0x111569000(isc.org/DNSKEY)): response
09-Apr-2014 09:41:28.309 ;; received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15856
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; SIT: 2d8cf3496b58375ca839dce553448928545eebc5e1402641
;; QUESTION SECTION:
;isc.org. IN DNSKEY
;; ANSWER SECTION:
;isc.org. 5395 IN DNSKEY 256 3 5 (
; AwEAAbJpDF4RemdHHE/HrJJhR3zp
; zAQ6zsHqFv0i4lCWTUf4sX+cq3vS
; u7fKO4QJtm97S1sbcnmHonVE3QPz
; LOsqsY630Wy5JzrPK3gUvQLgfIso
; vo2v+dosITL8WbvjU1mEXhIwfuuB
; hYmYSKySZ0X9gpHGhdxRd+J8M7ri
; PfN7kHLP
; ) ; ZSK; alg = RSASHA1; key id
= 4521
;isc.org. 5395 IN DNSKEY 257 3 5 (
; BEAAAAOhHQDBrhQbtphgq2wQUpEQ
; 5t4DtUHxoMVFu2hWLDMvoOMRXjGr
; hhCeFvAZih7yJHf8ZGfW6hd38hXG
; /xylYCO6Krpbdojwx8YMXLA5/kA+
; u50WIL8ZR1R6KTbsYVMf/Qx5RiNb
; PClw+vT+U8eXEJmO20jIS1ULgqy3
; 47cBB1zMnnz/4LJpA0da9CbKj3A2
; 54T515sNIMcwsB8/2+2E63/zZrQz
; Bkj0BrN/9Bexjpiks3jRhZatEsXn
; 3dTy47R09Uix5WcJt+xzqZ7+ysyL
; KOOedS39Z7SDmsn2eA0FKtQpwA6L
; XeG2w+jxmw3oA8lVUgEf/rzeC/bB
; yBNsO70aEFTd
; ) ; KSK; alg = RSASHA1; key id
= 12892
;isc.org. 5395 IN RRSIG DNSKEY 5 2 7200 (
; 20140507230126 20140407230126
4521 isc.org.
; dcmQwSpa00DJ8pd2PBKJxRyZ+ax4
; r/VBliEh2x5v/CUurfQfGIbnn+ZW
; Pz4EnRkDkiComnwEQo4jfMRjv3S3
; ltz9L0Xi5XVlr+bhyc7OeDdGhdG6
; SsEgyLvQ92Jg1wFeVLIkIieTnqps
; O3EvjR6eY83Rc266ubk8MvnFcpJg
; 0m0= )
;isc.org. 5395 IN RRSIG DNSKEY 5 2 7200 (
; 20140507230126 20140407230126
12892 isc.org.
; j4k8SwlG6sibrmqhe810xEWxqf4p
; AuBRkDTOcZM4j5CFdffOjwt01Uhp
; tiQ7mMfOPQcygD3WzQz5oC8J+BYe
; mCH4cSwj/pprX/7VLuxeIp/NnD7A
; vBfc884aoLDFMWFzLq7f98eHhfnK
; ui1LY568G67n9rKF1TFk3TIcEoQS
; oRt5U02ATgkF59fpVQZYg5B1dBIp
; CAm2puOWuAHy4nXINYBjItqfNEtg
; 1cbJBa7IRQWaaZY9+CVHKShs3GYg
; 6/1WMwgWwadl4/6ySy0/m71H3aCx
; fBETFZ5pY4VpjvMOghbioGrpse9E
; +C3wRAU9NGkJMSESwIez/YpE72NO
; u470Og== )
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): answer_response
09-Apr-2014 09:41:28.309 ;; log_ns_ttl: fctx 0x111569000: answer_response:
isc.org (in '.'?): 0 0
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): cache_message
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): cancelquery
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): wait for validator
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.309 ;; validating isc.org/DNSKEY: starting
09-Apr-2014 09:41:28.309 ;; validating isc.org/DNSKEY: attempting positive
response validation
09-Apr-2014 09:41:28.310 ;; validating isc.org/DNSKEY: validatezonekey:
creating fetch for isc.org DS
09-Apr-2014 09:41:28.310 ;; fetch: isc.org/DS
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): create
09-Apr-2014 09:41:28.310 ;; log_ns_ttl: fctx 0x111569430: fctx_create: isc.org
(in '.'?): 0 0
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): join
09-Apr-2014 09:41:28.310 ;; fetch 0x11075a168 (fctx 0x111569430(isc.org/DS)):
created
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): start
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): try
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): cancelqueries
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): getaddresses
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): query
09-Apr-2014 09:41:28.310 ;; resquery 0x11156f000 (fctx
0x111569430(isc.org/DS)): send
09-Apr-2014 09:41:28.310 ;; resquery 0x11156f000 (fctx
0x111569430(isc.org/DS)): sent
09-Apr-2014 09:41:28.310 ;; resquery 0x11156f000 (fctx
0x111569430(isc.org/DS)): senddone
09-Apr-2014 09:41:28.310 ;; resquery 0x11156f000 (fctx
0x111569430(isc.org/DS)): response
09-Apr-2014 09:41:28.310 ;; received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31640
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; SIT: 2d8cf3496b58375cda8ad76953448928e7787e67a66486d6
;; QUESTION SECTION:
;isc.org. IN DS
;; ANSWER SECTION:
;isc.org. 5504 IN DS 12892 5 2 (
; F1E184C0E1D615D20EB3C223ACED
; 3B03C773DD952D5F0EB5C777586D
; E18DA6B5 )
;isc.org. 5504 IN DS 12892 5 1 (
; 982113D08B4C6A1D9F6AEE1E2237
; AEF69F3F9759 )
;isc.org. 5504 IN RRSIG DS 7 2 86400 (
; 20140422155313 20140401145313
28794 org.
; FoLFvxVMRXkdLg5wumU9Lf9uIFT9
; lknz1zQPRAjNZlc/3Nq2hZMIELGT
; K26uQwFbAj/04XNJCnm34FVdYSWF
; P/y8V+4MimPpKLC3rt7sNKJlIhbH
; LLuIVr1l70WaaJ2NyKk6AgnRYY3D
; LSahHXXk/3sG+WWqI8UHBWTdi0up
; oqk= )
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): answer_response
09-Apr-2014 09:41:28.310 ;; log_ns_ttl: fctx 0x111569430: answer_response:
isc.org (in '.'?): 0 0
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): cache_message
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): cancelquery
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): wait for validator
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): cancelqueries
09-Apr-2014 09:41:28.310 ;; validating isc.org/DS: starting
09-Apr-2014 09:41:28.310 ;; validating isc.org/DS: attempting positive response
validation
09-Apr-2014 09:41:28.310 ;; validating isc.org/DS: get_key: creating fetch for
org DNSKEY
09-Apr-2014 09:41:28.310 ;; fetch: org/DNSKEY
09-Apr-2014 09:41:28.310 ;; fctx 0x1115a9000(org/DNSKEY): create
09-Apr-2014 09:41:28.310 ;; log_ns_ttl: fctx 0x1115a9000: fctx_create: org (in
'.'?): 0 0
09-Apr-2014 09:41:28.310 ;; fctx 0x1115a9000(org/DNSKEY): join
09-Apr-2014 09:41:28.310 ;; fetch 0x11075a180 (fctx 0x1115a9000(org/DNSKEY)):
created
09-Apr-2014 09:41:28.310 ;; fctx 0x1115a9000(org/DNSKEY): start
09-Apr-2014 09:41:28.310 ;; fctx 0x1115a9000(org/DNSKEY): try
09-Apr-2014 09:41:28.310 ;; fctx 0x1115a9000(org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.310 ;; fctx 0x1115a9000(org/DNSKEY): getaddresses
09-Apr-2014 09:41:28.310 ;; fctx 0x1115a9000(org/DNSKEY): query
09-Apr-2014 09:41:28.310 ;; resquery 0x1115af000 (fctx
0x1115a9000(org/DNSKEY)): send
09-Apr-2014 09:41:28.310 ;; resquery 0x1115af000 (fctx
0x1115a9000(org/DNSKEY)): sent
09-Apr-2014 09:41:28.310 ;; resquery 0x1115af000 (fctx
0x1115a9000(org/DNSKEY)): senddone
09-Apr-2014 09:41:28.310 ;; resquery 0x1115af000 (fctx
0x1115a9000(org/DNSKEY)): response
09-Apr-2014 09:41:28.310 ;; received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57451
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; SIT: 2d8cf3496b58375c277da90653448928b346e9460f9b5cbb
;; QUESTION SECTION:
;org. IN DNSKEY
;; ANSWER SECTION:
;org. 832 IN DNSKEY 256 3 7 (
; AwEAAYhrCBtYGnFviZ921MUyk5MD
; 1Ywzz9fLytgGY6enAgn9fFKjlhNp
; KFDCLxrzrFkPV8OCA2DtefVzIqaw
; TuHV1zjYgYZgx0nUn4zXVnxFSl4X
; 1CyXPT/AMPOrAw+cN38oxVQs2FDL
; aLwwmcxXmk3mBwTgu3fGHpmjdA5D
; /3TPeAjX
; ) ; ZSK; alg = NSEC3RSASHA1;
key id = 28794
;org. 832 IN DNSKEY 256 3 7 (
; AwEAAa+yHvpOo3f7XS1vtKPGH6AD
; 1OkmYUtnRlkkCO9BKJ0OCCvYSWh5
; NWLJjIMXRzVpituqoLtiYfhdDYQH
; 5JzRVW6lCtT+2SiWmEx+7GnSyMT4
; 8858uC02AYlJVfbitCpoGGdzyLTi
; MxtMlztpRyCAvaDujnx+2GBo7zgb
; 50f5gQJp
; ) ; ZSK; alg = NSEC3RSASHA1;
key id = 1829
;org. 832 IN DNSKEY 257 3 7 (
; AwEAAZTjbIO5kIpxWUtyXc8avsKy
; HIIZ+LjC2Dv8naO+Tz6X2fqzDC1b
; dq7HlZwtkaqTkMVVJ+8gE9FIreGJ
; 4c8G1GdbjQgbP1OyYIG7OHTc4hv5
; T2NlyWr6k6QFz98Q4zwFIGTFVvwB
; hmrMDYsOTtXakK6QwHovA1+83BsU
; ACxlidpwB0hQacbD6x+I2RCDzYuT
; zj64Jv0/9XsX6AYV3ebcgn4hL1jI
; R2eJYyXlrAoWxdzxcW//5yeL5RVW
; uhRxejmnSVnCuxkfS4AQ485KH2tp
; dbWcCopLJZs6tw8q3jWcpTGzdh/v
; 3xdYfNpQNcPImFlxAun3BtORPA2r
; 8ti6MNoJEHU=
; ) ; KSK; alg = NSEC3RSASHA1;
key id = 9795
;org. 832 IN DNSKEY 257 3 7 (
; AwEAAYpYfj3aaRzzkxWQqMdl7YEx
; Y81NdYSv+qayuZDodnZ9IMh0bwMc
; YaVUdzNAbVeJ8gd6jq1sR3VvP/SR
; 36mmGssbV4Udl5ORDtqiZP2TDNDH
; xEnKKTX+jWfytZeT7d3AbSzBKC0v
; 7uZrM6M2eoJnl6id66rEUmQC2p9D
; rrDg9F6tXC9CD/zC7/y+BNNpiOdn
; M5DXk7HhZm7ra9E7ltL13h2mx7kE
; gU8e6npJlCoXjraIBgUDthYs48W/
; sdTDLu7N59rjCG+bpil+c8oZ9f7N
; R3qmSTpTP1m86RqUQnVErifrH8Kj
; DqL+3wzUdF5ACkYwt1XhPVPU+wSI
; lzbaAQN49PU=
; ) ; KSK; alg = NSEC3RSASHA1;
key id = 21366
;org. 832 IN RRSIG DNSKEY 7 1 900 (
; 20140422155313 20140401145313
9795 org.
; U5EosaoqM0jPBPVdL08D5wilaHoH
; gcOHM3RNP0hwzv5lQg8JBtq6wZGA
; YUHstIDTD6LGxR3vLmZGeEHobtxk
; aNIp/TW1W/zB9SOySTK1DrnMKjYd
; yi64LbP/XvSv/Fpa29DVkIbU1REs
; dPSwWyurw1nKiAGUld1AYeGwU1Zi
; wwqHk6SB+ohZPmv7J9BgIjvSwswr
; PudynzIbyb1Y7bmI82nEo/FmX3qa
; YwLXkjsH50BYwAYH1C8CoAeg/fpg
; P+3b8JRx1M55EzAJNQqVL4nHtqdW
; 4FSV8h3t5pFzLwVpo3lLiKXQj8Di
; QVTT2JkHqOTnnhlvHG5BDZVykLn2
; YNxXNQ== )
;org. 832 IN RRSIG DNSKEY 7 1 900 (
; 20140422155313 20140401145313
21366 org.
; JXhlQLDrtfK2ZdXQzdoygZnXNFfa
; 7/lPubNgrUmL46dYo1K07UL0yDkn
; fhKYrBd7WhES9koX8gR8m3sb4RJj
; MvtDi0VOOaxI8kCO6ltNQ5h8NKgw
; WEur+w25EwRjWRychohiIchXLXyK
; X7mTqUolhVCIfSJGShKLLW8ffYTV
; eNHP/3FdSu37RNqLsOn+pfaLbhK+
; MNnwbb/UQbxCPFAkuZCy5JDaUsW0
; JuqrhMei0EdzGb6qYPk9ZDtCWqZG
; T+yIdypqWOhM4Eqm8KnHsLbzQlnf
; ON7gi1ZOIIXoaX+Apo2I8venXqFw
; xuLTmhvJAkPCqA06oYvkHWf0/yxO
; x+JkVQ== )
;org. 832 IN RRSIG DNSKEY 7 1 900 (
; 20140422155313 20140401145313
28794 org.
; aHnCxEKmD9y/ZTBnrSu6ZDIhF+hB
; usJ3XKtBf8ubDrVZcvz8KUT812cL
; Se16T9pqVOMSoBp5ywGWrieaEsip
; XXcNjuzuL+5xbxLmnhnv2aiuapNk
; 0siZxvMPs+LV1Gw7Je2wj0o1qRgt
; TwoFVREPLDkbkEMdXqxrdWmTwVna
; OK8= )
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9000(org/DNSKEY): answer_response
09-Apr-2014 09:41:28.311 ;; log_ns_ttl: fctx 0x1115a9000: answer_response: org
(in '.'?): 0 0
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9000(org/DNSKEY): cache_message
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9000(org/DNSKEY): cancelquery
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9000(org/DNSKEY): wait for validator
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9000(org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.311 ;; validating org/DNSKEY: starting
09-Apr-2014 09:41:28.311 ;; validating org/DNSKEY: attempting positive response
validation
09-Apr-2014 09:41:28.311 ;; validating org/DNSKEY: validatezonekey: creating
fetch for org DS
09-Apr-2014 09:41:28.311 ;; fetch: org/DS
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): create
09-Apr-2014 09:41:28.311 ;; log_ns_ttl: fctx 0x1115a9430: fctx_create: org (in
'.'?): 0 0
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): join
09-Apr-2014 09:41:28.311 ;; fetch 0x11075a198 (fctx 0x1115a9430(org/DS)):
created
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): start
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): try
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): cancelqueries
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): getaddresses
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): query
09-Apr-2014 09:41:28.311 ;; resquery 0x1115af000 (fctx 0x1115a9430(org/DS)):
send
09-Apr-2014 09:41:28.311 ;; resquery 0x1115af000 (fctx 0x1115a9430(org/DS)):
sent
09-Apr-2014 09:41:28.311 ;; resquery 0x1115af000 (fctx 0x1115a9430(org/DS)):
senddone
09-Apr-2014 09:41:28.311 ;; resquery 0x1115af000 (fctx 0x1115a9430(org/DS)):
response
09-Apr-2014 09:41:28.311 ;; received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33728
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; SIT: 2d8cf3496b58375c3ca580375344892853012c63813507b5
;; QUESTION SECTION:
;org. IN DS
;; ANSWER SECTION:
;org. 5504 IN DS 21366 7 1 (
; E6C1716CFB6BDC84E84CE1AB5510
; DAC69173B5B2 )
;org. 5504 IN DS 21366 7 2 (
; 96EEB2FFD9B00CD4694E78278B5E
; FDAB0A80446567B69F634DA078F0
; D90F01BA )
;org. 5504 IN RRSIG DS 8 1 86400 (
; 20140414000000 20140406230000
40926 .
; hfVkPJGvRpXmvforixrVo77PO1/W
; Ipaa4cnp/XPrwk9csyo64zAWaCZL
; +kt5jBCSDlAfpX6cDASN4ueGXajm
; q8nVyrCT5QvuyHgWJQG0CjtcFgtC
; DxnWQHAaHdq9IwsuRYCAutjJo9yQ
; G8PdlUlTZWE8Rzn9UmRlw6KE212y
; CgI= )
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): answer_response
09-Apr-2014 09:41:28.311 ;; log_ns_ttl: fctx 0x1115a9430: answer_response: org
(in '.'?): 0 0
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): cache_message
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): cancelquery
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): wait for validator
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): cancelqueries
09-Apr-2014 09:41:28.311 ;; validating org/DS: starting
09-Apr-2014 09:41:28.311 ;; validating org/DS: attempting positive response
validation
09-Apr-2014 09:41:28.311 ;; validating org/DS: get_key: creating fetch for .
DNSKEY
09-Apr-2014 09:41:28.311 ;; fetch: ./DNSKEY
09-Apr-2014 09:41:28.311 ;; fctx 0x1115e9000(./DNSKEY): create
09-Apr-2014 09:41:28.311 ;; log_ns_ttl: fctx 0x1115e9000: fctx_create: . (in
'.'?): 0 0
09-Apr-2014 09:41:28.311 ;; fctx 0x1115e9000(./DNSKEY): join
09-Apr-2014 09:41:28.311 ;; fetch 0x11075a1b0 (fctx 0x1115e9000(./DNSKEY)):
created
09-Apr-2014 09:41:28.311 ;; fctx 0x1115e9000(./DNSKEY): start
09-Apr-2014 09:41:28.311 ;; fctx 0x1115e9000(./DNSKEY): try
09-Apr-2014 09:41:28.311 ;; fctx 0x1115e9000(./DNSKEY): cancelqueries
09-Apr-2014 09:41:28.311 ;; fctx 0x1115e9000(./DNSKEY): getaddresses
09-Apr-2014 09:41:28.311 ;; fctx 0x1115e9000(./DNSKEY): query
09-Apr-2014 09:41:28.311 ;; resquery 0x1115ef000 (fctx 0x1115e9000(./DNSKEY)):
send
09-Apr-2014 09:41:28.311 ;; resquery 0x1115ef000 (fctx 0x1115e9000(./DNSKEY)):
sent
09-Apr-2014 09:41:28.311 ;; resquery 0x1115ef000 (fctx 0x1115e9000(./DNSKEY)):
senddone
09-Apr-2014 09:41:28.312 ;; resquery 0x1115ef000 (fctx 0x1115e9000(./DNSKEY)):
response
09-Apr-2014 09:41:28.312 ;; received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62200
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; SIT: 2d8cf3496b58375cd01f4d7f5344892884b20fcd0bb5cd1e
;; QUESTION SECTION:
;. IN DNSKEY
;; ANSWER SECTION:
;. 91894 IN DNSKEY 256 3 8 (
; AwEAAb8sU6pbYMWRbkRnEuEZw9NS
; ir707TkOcF+UL1XiK4NDJOvXRyX1
; 95Am5dQ7bRnnuySZ3daf37vvjUUh
; uIWUAQ4stht8nJfYxVQXDYjSpGH5
; I6Hf/0CZEoNP6cNvrQ7AFmKkmv00
; xWExKQjbvnRPI4bqpMwtHVzn6Wyb
; BZ6kuqED
; ) ; ZSK; alg = RSASHA256; key
id = 33655
;. 91894 IN DNSKEY 257 3 8 (
; AwEAAagAIKlVZrpC6Ia7gEzahOR+
; 9W29euxhJhVVLOyQbSEW0O8gcCjF
; FVQUTf6v58fLjwBd0YI0EzrAcQqB
; GCzh/RStIoO8g0NfnfL2MTJRkxoX
; bfDaUeVPQuYEhg37NZWAJQ9VnMVD
; xP/VHL496M/QZxkjf5/Efucp2gaD
; X6RS6CXpoY68LsvPVjR0ZSwzz1ap
; AzvN9dlzEheX7ICJBBtuA6G3LQpz
; W5hOA2hzCTMjJPJ8LbqF6dsV6DoB
; Qzgul0sGIcGOYl7OyQdXfZ57relS
; Qageu+ipAdTTJ25AsRTAoub8ONGc
; LmqrAmRLKBP1dfwhYB4N7knNnulq
; QxA+Uk1ihz0=
; ) ; KSK; alg = RSASHA256; key
id = 19036
;. 91894 IN DNSKEY 256 3 8 (
; AwEAAZvJd8ORk+jmZ41QMYbQ1XCp
; f60l6YJuHtnxn0VSh5a5vqwEjTST
; 3/PZ4xhUFu2YcTfRNWxs9WTiGZl3
; MY/UlBIvzpLhKgKnf9Vk8sEU3q0n
; mOGFgE6jTi/cU95ATU/2dTQovMDv
; 9XyWvrmj8KIG2brj6mF4S8GTae6G
; 2GwbMF5v
; ) ; ZSK; alg = RSASHA256; key
id = 40926
;. 91894 IN RRSIG DNSKEY 8 0 172800 (
; 20140415235959 20140401000000
19036 .
; PttXGhd/RiRQDhz9002k/gYVU2c2
; +YjuW+xv2jczlIuLacXET3ZExT3X
; kZCTtXiveS+vJtYQPVPCUXZcYb+4
; VjovysRQ1BedFYrRC/n9scSgm1UO
; zxDXRKk7tvBgHiyTwONNvogw/SBJ
; YJ/z9n5cpCY2taEvy5aL2h+vrnwH
; 7WvVT8NR4VJ/ZKJ4GdSxyrEiESm2
; +d1dUuKOd/XeZbF15XMdDPBH8Ghx
; eZY5ISbZfDSV3vISQIA1B/VF9Dq/
; 6dxoyMbdPhcpvly3QfzN6brVla2o
; 3FLAcDMyFmSvEcSOgtMntSm0usIs
; Z7eQiQOfejohFSbFFNcivXXwIlXF
; qgJXLA== )
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): answer_response
09-Apr-2014 09:41:28.312 ;; log_ns_ttl: fctx 0x1115e9000: answer_response: .
(in '.'?): 0 0
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): cache_message
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): cancelquery
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): wait for validator
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): cancelqueries
09-Apr-2014 09:41:28.312 ;; validating ./DNSKEY: starting
09-Apr-2014 09:41:28.312 ;; validating ./DNSKEY: attempting positive response
validation
09-Apr-2014 09:41:28.312 ;; validating ./DNSKEY: verify rdataset (keyid=19036):
success
09-Apr-2014 09:41:28.312 ;; validating ./DNSKEY: signed by trusted key; marking
as secure
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): received validation
completion event
09-Apr-2014 09:41:28.312 ;; validator @0x7f818409a000: dns_validator_destroy
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): validation OK
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): clone_results
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): done
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): stopeverything
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): cancelqueries
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): sendevents
09-Apr-2014 09:41:28.312 ;; validating org/DS: in fetch_callback_validator
09-Apr-2014 09:41:28.312 ;; validating org/DS: keyset with trust secure
09-Apr-2014 09:41:28.312 ;; validating org/DS: resuming validate
09-Apr-2014 09:41:28.312 ;; validating org/DS: verify rdataset (keyid=40926):
success
09-Apr-2014 09:41:28.312 ;; validating org/DS: marking as secure, noqname proof
not needed
09-Apr-2014 09:41:28.312 ;; fetch 0x11075a1b0 (fctx 0x1115e9000(./DNSKEY)):
destroyfetch
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): shutdown
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): received validation
completion event
09-Apr-2014 09:41:28.312 ;; validator @0x7f8186000000: dns_validator_destroy
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): validation OK
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): clone_results
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): done
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): stopeverything
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): cancelqueries
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): sendevents
09-Apr-2014 09:41:28.312 ;; validating org/DNSKEY: in dsfetched
09-Apr-2014 09:41:28.312 ;; validating org/DNSKEY: dsset with trust secure
09-Apr-2014 09:41:28.312 ;; validating org/DNSKEY: verify rdataset
(keyid=21366): success
09-Apr-2014 09:41:28.312 ;; validating org/DNSKEY: marking as secure (DS)
09-Apr-2014 09:41:28.312 ;; fetch 0x11075a198 (fctx 0x1115a9430(org/DS)):
destroyfetch
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): shutdown
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9000(org/DNSKEY): received validation
completion event
09-Apr-2014 09:41:28.312 ;; validator @0x7f8185800000: dns_validator_destroy
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9000(org/DNSKEY): validation OK
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9000(org/DNSKEY): clone_results
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9000(org/DNSKEY): done
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9000(org/DNSKEY): stopeverything
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9000(org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9000(org/DNSKEY): sendevents
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): doshutdown
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): stopeverything
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): cancelqueries
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): unlink
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): destroy
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): doshutdown
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): stopeverything
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): cancelqueries
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): unlink
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): destroy
09-Apr-2014 09:41:28.312 ;; validating isc.org/DS: in fetch_callback_validator
09-Apr-2014 09:41:28.312 ;; validating isc.org/DS: keyset with trust secure
09-Apr-2014 09:41:28.312 ;; validating isc.org/DS: resuming validate
09-Apr-2014 09:41:28.313 ;; validating isc.org/DS: verify rdataset
(keyid=28794): success
09-Apr-2014 09:41:28.313 ;; validating isc.org/DS: marking as secure, noqname
proof not needed
09-Apr-2014 09:41:28.313 ;; fetch 0x11075a180 (fctx 0x1115a9000(org/DNSKEY)):
destroyfetch
09-Apr-2014 09:41:28.313 ;; fctx 0x1115a9000(org/DNSKEY): shutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): received validation
completion event
09-Apr-2014 09:41:28.313 ;; validator @0x7f8185000000: dns_validator_destroy
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): validation OK
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): clone_results
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): done
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): stopeverything
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): cancelqueries
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): sendevents
09-Apr-2014 09:41:28.313 ;; validating isc.org/DNSKEY: in dsfetched
09-Apr-2014 09:41:28.313 ;; validating isc.org/DNSKEY: dsset with trust secure
09-Apr-2014 09:41:28.313 ;; validating isc.org/DNSKEY: verify rdataset
(keyid=12892): success
09-Apr-2014 09:41:28.313 ;; validating isc.org/DNSKEY: marking as secure (DS)
09-Apr-2014 09:41:28.313 ;; fetch 0x11075a168 (fctx 0x111569430(isc.org/DS)):
destroyfetch
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): shutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): received
validation completion event
09-Apr-2014 09:41:28.313 ;; validator @0x7f818399fc00: dns_validator_destroy
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): validation OK
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): clone_results
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): done
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): stopeverything
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): sendevents
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): doshutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): stopeverything
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): cancelqueries
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): unlink
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): destroy
09-Apr-2014 09:41:28.313 ;; fctx 0x1115a9000(org/DNSKEY): doshutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x1115a9000(org/DNSKEY): stopeverything
09-Apr-2014 09:41:28.313 ;; fctx 0x1115a9000(org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.313 ;; fctx 0x1115a9000(org/DNSKEY): unlink
09-Apr-2014 09:41:28.313 ;; fctx 0x1115a9000(org/DNSKEY): destroy
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DS: in
fetch_callback_validator
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DS: keyset with trust secure
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DS: resuming validate
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DS: verify rdataset
(keyid=4521): success
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DS: marking as secure,
noqname proof not needed
09-Apr-2014 09:41:28.313 ;; fetch 0x11075a150 (fctx
0x111569000(isc.org/DNSKEY)): destroyfetch
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): shutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): received
validation completion event
09-Apr-2014 09:41:28.313 ;; validator @0x7f8184021800: dns_validator_destroy
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): validation OK
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): clone_results
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): done
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): stopeverything
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): cancelqueries
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): sendevents
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DNSKEY: in dsfetched
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DNSKEY: dsset with trust
secure
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DNSKEY: verify rdataset
(keyid=10288): success
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DNSKEY: marking as secure (DS)
09-Apr-2014 09:41:28.313 ;; fetch 0x11075a138 (fctx
0x111529860(Dv.isc.org/DS)): destroyfetch
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): shutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): received
validation completion event
09-Apr-2014 09:41:28.313 ;; validator @0x7f818399ee00: dns_validator_destroy
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): validation OK
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): clone_results
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): done
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): stopeverything
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): sendevents
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): doshutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): stopeverything
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): cancelqueries
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): unlink
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): destroy
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): doshutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): stopeverything
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): unlink
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): destroy
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/SOA: in
fetch_callback_validator
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/SOA: keyset with trust secure
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/SOA: resuming validate
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/SOA: verify rdataset
(keyid=14436): success
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/SOA: marking as secure,
noqname proof not needed
09-Apr-2014 09:41:28.313 ;; fetch 0x11075a120 (fctx
0x111529430(dv.isc.org/DNSKEY)): destroyfetch
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): shutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): received
validation completion event
09-Apr-2014 09:41:28.313 ;; validator @0x7f8184020a00: dns_validator_destroy
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): validation OK
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): clone_results
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): done
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): stopeverything
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): cancelqueries
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): sendevents
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): doshutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): stopeverything
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): unlink
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): destroy
09-Apr-2014 09:41:28.313 ;; fetch 0x11075a0a8 (fctx
0x111529000(dv.isc.org/SOA)): destroyfetch
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): shutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): doshutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): stopeverything
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): cancelqueries
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): unlink
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): destroy
09-Apr-2014 09:41:28.313 ;; res 0x11076f000: shutdown
09-Apr-2014 09:41:28.313 ;; res 0x11076f000: exiting
09-Apr-2014 09:41:28.320 ;; dns_requestmgr_shutdown: 0x110774000
09-Apr-2014 09:41:28.320 ;; send_shutdown_events: 0x110774000
09-Apr-2014 09:41:28.320 ;; res 0x11076f000: detach
09-Apr-2014 09:41:28.321 ;; res 0x11076f000: destroy
09-Apr-2014 09:41:28.321 ;; dns_requestmgr_detach: 0x110774000: eref 0 iref 0
09-Apr-2014 09:41:28.321 ;; mgr_destroy
09-Apr-2014 09:41:28.321 ;; calling free_rbtdb(.)
09-Apr-2014 09:41:28.321 ;; done free_rbtdb(.)
; fully validated
dv.isc.org. 3532 IN SOA bsdi.dv.isc.org. marka.isc.org.
2007111528 86400 21600 2419200 86400
dv.isc.org. 3532 IN RRSIG SOA 5 3 3600 20140606234902
20140407224902 14436 dv.isc.org.
i8fBym000/fiC3XrQ1B0spgppClOyQfdQiPq3p2228bSYR86NzxOqpUL
2YBya9120KctdiLBOpeUEIf285TzxA==
> The intersection of the position Wes takes and mine is some sort
> of 'assured' AD bit, which I am not opposed to in principle, provided
> this is in fact a reasonable plan of action.
>
> So for example, extending libresolv to match long-established BSD
> semantics to improve thread safety and provide more application
> control would suffice, res_ninit(), res_setservers(), ... plus
> ideally the ability to set the "AD" bit in the request (rather than
> "DO", reducing the quantity of unnecessary bloat in the reply).
>
> That way applications that want a local resolver can be configured
> to use one, and can make appropriate fallback decisions if one is
> not available.
>
> As for *censoring* the AD bit, that approach is likely more
> problematic and I think is where Paul Wouters and Petr part ways...
>
> So please make it possible in all the various DNS APIs (that don't
> already do this) for the stub resolver to override the default
> nameserver list (static or insecurely obtained from DHCP). Give
> the stub resolver more control over the "AD" and "DO" bits, and
> think long and hard about whether censoring is a viable approach
> it may well be a bad idea.
>
> --
> Viktor.
>
> _______________________________________________
> dane mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/dane
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [email protected]
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
