Re: dig +sigchase looping

2014-02-25 Thread Evan Hunt 
On Tue, Feb 25, 2014 at 08:57:08AM +1100, Mark Andrews wrote:
> SIGCHASE is a external contribution that is provide "as is" to dig.
> The reason that you have to explicitly define it is that ISC hasn't
> fully gone through the code to find bugs like this in it and it
> basically needs a full re-write.  That said it does mostly work and
> is better than nothing.

...but it might not be better than the new "delve" tool (backronym:
"domain entity lookup and validation engine"), which shipped today in
BIND 9.10.0b1.

Delve has command line semantics similar to dig, but uses the same
resolver and validator logic that named does, to perform a DNS lookup
and validate it.  The +vtrace option turns on valiator logging, +rtrace
reports each record fetched, and +mtrace prints all messages exchanged
with the name server in full.

It does *not* (or anyway not yet) do full iterative resolution from the
root, but it will send all the needed queries to the local name server
to resolve and validate a name, including following CNAMEs and fetching
DNSKEY and DS records to establish a chain of trust.

My hope is that people will find they don't need dig +sigchase anymore,
and we can deprecate it in a future release. If you have a use case for
dig +sigchase that delve doesn't accomodate, please let me know so I
can try to address it.

Examples:

  Valid signed response:

$ delve  isc.org
; fully validated
isc.org.60  IN  2001:4f8:0:2::69
isc.org.60  IN  RRSIG    5 2 60 20140326233255
20140224233255 4521 isc.org.
DP8IFXWtADmptzScrFj+Pt425PX/cfpGiNnzjIZtoMfI5ueq1sFfV0UX
PwGPD1PGbrUj/s/w9uh7XgfNpFr8xZujb4JwN+1xOeWcA+58oRIlTjoV
OqVdLa9i/eMyl8sj0wMfy76Olasa1RfbzJJmY1Sp90uImfNrzd136hw0 Hac=
isc.org.60  IN  RRSIG    5 2 60 20140326233255
20140224233255 50012 isc.org.
ibMtXAh67O7kbq3+bTkJt/sO8q1rmQBfRgvSLK0Dx8GcryfIBS6VshFn
qirzgRVmenlITdf9KFWA2qPT6Tfh+4XQFFfwxiNhs5Pi1XlK0oft1LVc
shyHJdMAa+Ap2VGg61Sch3ckUjUXjNqIf4IhRGXrRRsU/dalkBJk4YCk Thk=

  Legitimate unsigned repsonse:

$ delve unsigned.com
; unsigned answer
unsigned.com.   87600   IN  A   204.14.120.250

  Valid NXDOMAIN from a signed zone:

$ delve nonexistent.example.org
;; resolution failed: ncache nxdomain
; negative response, fully validated
; nonexistent.example.org. 3600 IN  \-ANY   ;-$NXDOMAIN
; example.org. SOA sns.dns.icann.org. noc.dns.icann.org. 2013103114 7200
3600 1209600 3600
; example.org. RRSIG SOA ...
; example.org. RRSIG NSEC ...
; example.org. NSEC www.example.org. A NS SOA TXT  RRSIG NSEC DNSKEY

  Invalid response:

$ delve www.dnssec-failed.org
;; validating dnssec-failed.org/DNSKEY: no valid signature found (DS)
;; no valid RRSIG resolving 'dnssec-failed.org/DNSKEY/IN': 127.0.1.1#53
;; broken trust chain resolving 'www.dnssec-failed.org/A/IN': 127.0.1.1#53
;; resolution failed: broken trust chain

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dig +sigchase looping

2014-02-24 Thread Mark Andrews 

SIGCHASE is a external contribution that is provide "as is" to dig.
The reason that you have to explicitly define it is that ISC hasn't
fully gone through the code to find bugs like this in it and it
basically needs a full re-write.  That said it does mostly work and
is better than nothing.

This will be two loops over the same rdataset content using the
same rdataset structure resulting in the inner loop affecting the
outer loop.  The fix will be to clone that rdataset before looping
over it a second time.  Finding it won't be so easy as there are a
mixture of local and global references to rdatasets.  The first
step will probably to find and fix all the instances of code like:

dns_rdataset_first(rdataset)
do {
} while (dns_rdataset_next(global_rdataset) == ISC_R_SUCCESS);

Then to use local clones of rdataset so inner loops don't affect
outer loops making sure to disassociate before returning.

dns_rdataset_t myrdataset;

dns_rdataset_init(&myrdataset);
dns_rdataset_clone(rdataset, &myrdataset);
rdataset = &myrdataset;


dns_rdataset_first(rdataset)
do {

if () {
dns_rdataset_disassociate(rdataset);
return(...);
}
} while (dns_rdataset_next(rdataset) == ISC_R_SUCCESS);


dns_rdataset_disassociate(rdataset);

Mark

In message , Raymond Drew Walker writes:
> 
> I have verified that this also happens intermittently with dig in BIND 9.9.=
> 5 built/configured with:
> 
> STD_CDEFINES=3D"-DDIG_SIGCHASE=3D1"
> export STD_CDEFINES
> ./configure --enable-threads --enable-largefile
> =97
> Raymond Walker
> Software Systems Engineer StSp.
> ITS - Northern Arizona University
> 
> From: Ray Walker mailto:ray.wal...@nau.edu>>
> Date: Friday, February 21, 2014 at 4:28 PM
> To: "bind-users@lists.isc.org"  @lists.isc.org>
> Subject: dig +sigchase looping
> 
> I=92m experiencing an interesting issue where sometimes when performing a s=
> igchase on a valid signed zone the command loops indefinitely when an expir=
> ed RRSIG exists:
> 
> Live example:
> dig +sigchase +trusted-key=3D./trusted.keys aa.nau.edu A
> 
> Notes:
> There is currently a valid RRSIG for this zone.
> dig compiled with -DDIG_SIGCHASE=3D1
> BIND 9.9.4
> 
> Roughly %50 of the time it returns as expected, while other times looping i=
> n such a fashion:
> 
> ;; OK a DS valids a DNSKEY in the RRset
> ;; Now verify that this DNSKEY validates the DNSKEY RRset
> ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expi=
> red
> ;; OK a DS valids a DNSKEY in the RRset
> ;; Now verify that this DNSKEY validates the DNSKEY RRset
> ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expi=
> red
> ;; OK a DS valids a DNSKEY in the RRset
> ;; Now verify that this DNSKEY validates the DNSKEY RRset
> ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expi=
> red
> ;; OK a DS valids a DNSKEY in the RRset
> ;; Now verify that this DNSKEY validates the DNSKEY RRset
> ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expi=
> red
> ;; OK a DS valids a DNSKEY in the RRset
> ;; Now verify that this DNSKEY validates the DNSKEY RRset
> ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expi=
> red
> ;; OK a DS valids a DNSKEY in the RRset
> ;; Now verify that this DNSKEY validates the DNSKEY RRset
> ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expi=
> red
> 
> Any particular reason this should be expected or is it bug worthy (or fixed=
>  in 9.9.5, as I didn=92t see anything in the change log referring to it)?
> =97
> Raymond Walker
> Software Systems Engineer StSp.
> ITS - Northern Arizona University
> 
> --_000_CF30C95B14D22raywalkernauedu_
> Content-Type: text/html; charset="Windows-1252"
> Content-ID: <3fd38cc225294d4e9f862b294dfd3...@iris.nau.edu>
> Content-Transfer-Encoding: quoted-printable
> 
> 
> 
>  252">
> 
>  e-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-fami=
> ly: Calibri, sans-serif;">
> 
> 
> I have verified that this also happens intermittently with dig in BIND=
>  9.9.5 built/configured with:
> 
> 
> 
> STD_CDEFINES=3D"-DDIG_SIGCHASE=3D1"
> export STD_CDEFINES
> ./configure --enable-threads --enable-largefile
> 
> 
> =97
> Raymond Walker
> 
> Software Systems Engineer StSp.
> ITS - Northern Arizona University
> 
> 
> 
> 
> 
> 
> 
>  lack; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM:=
>  0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;=
>  BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
> From: Ray Walker < lto:ray.wal...@nau.edu">ray.wal...@nau.edu>
> Date: Friday, February 21, 2014 at =
> 4:28 PM
> To: "mailto:bind-us=
> e...@lists.isc.org">bind-users@lists.isc.org" < :bind-us

Re: dig +sigchase looping

2014-02-24 Thread Raymond Drew Walker 
I have verified that this also happens intermittently with dig in BIND 9.9.5 
built/configured with:

STD_CDEFINES="-DDIG_SIGCHASE=1"
export STD_CDEFINES
./configure --enable-threads --enable-largefile
—
Raymond Walker
Software Systems Engineer StSp.
ITS - Northern Arizona University

From: Ray Walker mailto:ray.wal...@nau.edu>>
Date: Friday, February 21, 2014 at 4:28 PM
To: "bind-users@lists.isc.org" 
mailto:bind-users@lists.isc.org>>
Subject: dig +sigchase looping

I’m experiencing an interesting issue where sometimes when performing a 
sigchase on a valid signed zone the command loops indefinitely when an expired 
RRSIG exists:

Live example:
dig +sigchase +trusted-key=./trusted.keys aa.nau.edu A

Notes:
There is currently a valid RRSIG for this zone.
dig compiled with -DDIG_SIGCHASE=1
BIND 9.9.4

Roughly %50 of the time it returns as expected, while other times looping in 
such a fashion:

;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired

Any particular reason this should be expected or is it bug worthy (or fixed in 
9.9.5, as I didn’t see anything in the change log referring to it)?
—
Raymond Walker
Software Systems Engineer StSp.
ITS - Northern Arizona University
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users