Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

2011-02-06 Thread Peter Palfrader 
Florian Weimer schrieb am Sonntag, dem 06. Feber 2011:

> > before filing a bug report I'd like to ask here, since I'd expect some
> > experts here :-)
> >
> > Using a current lenny with bind9 I can't validate (www|ftp).debian.org
> > anymore. Is anybody else experiencing this problem?
> >
> >
> > not working: 1:9.6.ESV.R3+dfsg-0+lenny1 
> 
> This has been reproduced with help from Peter Palfrader:
> 
>   
> 
> A workaround is to install the root trust anchor, too.

We have also added DLV records for www., security., and ftp., so this
bug should no longer manifest for some of the debian.org children.

Cheers,
-- 
   |  .''`.   ** Debian **
  Peter Palfrader  | : :' :  The  universal
 http://www.palfrader.org/ | `. `'  Operating System
   |   `-http://www.debian.org/


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110206221518.gk24...@anguilla.noreply.org

Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

2011-02-06 Thread Florian Weimer 
* Heiko Schlittermann:

> before filing a bug report I'd like to ask here, since I'd expect some
> experts here :-)
>
> Using a current lenny with bind9 I can't validate (www|ftp).debian.org
> anymore. Is anybody else experiencing this problem?
>
>
> not working: 1:9.6.ESV.R3+dfsg-0+lenny1 

This has been reproduced with help from Peter Palfrader:

  

A workaround is to install the root trust anchor, too.


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87fws12dp2@mid.deneb.enyo.de

Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

2010-12-20 Thread Florian Weimer 
* Heiko Schlittermann:

>> Can you show us the output from:
>> 
>>   dig +cd +dnssec ftp.debian.org DS

Same here.

>>   dig +cd +dnssec ftp.debian.org DNSKEY

DNSKEYs are the same, but then we've got this:

 ftp.debian.org.IN  DNSKEY  256 3 5 
AwEAAbKb7JLMdZbv5Ao/WndIcKiSajrEOzDggGF4JZGhkB/KD74sdZP4 
Stx47dJqUCOoA2ULnN3vtovBZbUdOkTFi2cSNuyzt6r4WnSmSi+iVtth 
4yTroUSirmT3dSQYU6Ouz6XhtqmwSL6kO94GHSg0rOYr2qDd0lu3uqs8 
gOCt+H3WHb1R+kl6yvFT1eb7cbmknQ==
 ftp.debian.org.IN  DNSKEY  256 3 5 
AwEAAd2Q5QHO6rL3wGJET0d5foLUwiEZwXpRodq7j+70fKBTL5jEl6AB 
xpnt/zUHm62u1sYyDhv/mtB0q6cUKm6EnQ03WTiUU2n656fdjtaC+71D 
2B8KYv4uVHxVya5lEaxIklGLJvSnPwClkClanrCeCf0ALqfC74nOAZzy 
sWJ4iDfIth4DX9gcRrNf7lwcShr+Vw==
 ftp.debian.org.IN  DNSKEY  257 3 5 
AwEAAanX1lSBuFPJX67wvJVJ81hkv1bV1BiqojH3pwdkxusxthvaLbGE 
bHWO4n3uY1gBhYw6ycRpyAUbjLE1NySzjpvfJY5KrLVPh1F89jyo9l16 
nlevXODge/Y5+Q0lOZhNhTDkt+c/Xvf0WfnkWZZVYY3SAZpZP5FBdkpI 
idbyXKMF63JYkYoRSC5gaURYRy6NwJrhUXTRDPPRC0sf7sw1ganNodDy 
6P7KqrWXdUOMBgFfHyQN3BmWjMRVdiY9N2+BnQ==
-ftp.debian.org.IN  RRSIG   DNSKEY 5 3 28800 20110117141747 
20101220141747 40396 ftp.debian.org. 
Ol3z3D9HUqkLIwHye/XwTYyIU3YdJ3GuPKp2RnrP3QkMPCyd6iR6gW8w 
zh2TCDVZN4NpmFLoApDWFLjavk4WO+5lksA4nseBOc9gs/pR2z41P9cN 
iLyEa5VUOWKQPcXnHDrQHiBRYTsHOoyTE7IRWwSqmkBpPvITrCisSeUT 
c8qdTa/xpmbVw49eiG+EqGOJkbQKwdeHXOpQLhmF0FyPDD9ZvHIMHS4+ 
RCF/eucWdhfp/lx+7F8HFXC7OzjC/NOY
-ftp.debian.org.IN  RRSIG   DNSKEY 5 3 28800 20110117141747 
20101220141747 9783 ftp.debian.org. 
cI/DJ/lAFVbFgxdZ/B6d7IKG3/M6Jf0EgxCCc1jc8j5u+FsdjKr3Y6Ie 
NeDNwbmu7o3tr6tTj2q1dxhESlz4aLF+GUB7apJ4PlhNO86fkq1J16ii 
Rod91FOKNAetC4T12EZEt6twYhp8QI7/upqkkJCb/44+qLTvygb1PLKr 
T+9ROlVitFEzvUakxbUCiR3N
+ftp.debian.org.IN  RRSIG   DNSKEY 5 3 28800 20110110133902 
20101213133902 40396 ftp.debian.org. 
FenuaVpG8s5hjyRdyEmcAzXA/JtGsF7V1LqZeQZJ8pwlB6gidgCAUXDW 
wGjZBzzJl48LklxrSxyZDxdtN99/7lbDFgIEsmN5MabeQz6WCP2GBFq6 
A/nQJzLpPnZTqhw5pgfqTCjEyvOEVembqrEX4nU7QzeuYON0p6Y2I49Z 
PHpurX20dxW7DoLtXjeduUF0uTFVk6ToKt4SOpWcUF3syUeoyLzza7S1 
7VaeqLdi0L0u2CE907HQZKP1m3KaFWWN
+ftp.debian.org.IN  RRSIG   DNSKEY 5 3 28800 20110110133902 
20101213133902 9783 ftp.debian.org. 
v0ug+Kxv8QeSHZg7doZQUnsbKrAnuegSGX+Nfe7BmezONMyXXnbH8TC/ 
CCw3qQBBSltEJY1ytyvicfQnCaHXDc1vDvR9e6kzjoFFJxnSpNKsZXkh 
HtTSuO9RwmwWHQocpv06AOcRL2HeNl6hQcRh+28HGq3bgWveuRASEgKD 
u9eHCuQqtSrk97ymRJzNArON

- is mine, + is yours.

Do you still see the 20101220141747 signature, or has your view since
updated to 20101213133902 or later?

Please also post the output of: dig +cd +dnssec ftp.debian.org TXT


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87y67k6tz2@mid.deneb.enyo.de

Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

2010-12-20 Thread Heiko Schlittermann 
Florian Weimer  (Sa 18 Dez 2010 21:41:43 CET):
> * Heiko Schlittermann:
> 
> > Could this somehow trigger this (unexpected) behaviour of a failing
> > validation? But why does it work for somebody (anybody?) else using this
> > version of bind? (output of the CHAOS version.bind query: "9.6-ESV-R3")
> 
> Obviously, it works for me, in quite a similar setup (consumer
> Internet from Deutsche Telekom, among other things).

Sure, that you've the very same version of bind?

bind9:
  Installed: 1:9.6.ESV.R3+dfsg-0+lenny1
  Candidate: 1:9.6.ESV.R3+dfsg-0+lenny1
  Version table:
 *** 1:9.6.ESV.R3+dfsg-0+lenny1 0
990 http://security.debian.org lenny/updates/main Packages
100 /var/lib/dpkg/status
 1:9.6.ESV.R1+dfsg-0+lenny2 0
990 http://ftp.de.debian.org lenny/main Packages

On another new installed machine I've the same problem. As long as I
keep the version of bind9.

-- 
Heiko


signature.asc
Description: Digital signature

Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

2010-12-20 Thread Heiko Schlittermann 
Florian Weimer  (Sa 18 Dez 2010 21:41:43 CET):
> * Heiko Schlittermann:
> 
> > Could this somehow trigger this (unexpected) behaviour of a failing
> > validation? But why does it work for somebody (anybody?) else using this
> > version of bind? (output of the CHAOS version.bind query: "9.6-ESV-R3")
> 
> Obviously, it works for me, in quite a similar setup (consumer
> Internet from Deutsche Telekom, among other things).
> 
> Can you show us the output from:
> 
>   dig +cd +dnssec ftp.debian.org DS

; <<>> DiG 9.6-ESV-R3 <<>> +cd +dnssec ftp.debian.org DS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12843
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ftp.debian.org.IN  DS

;; ANSWER SECTION:
ftp.debian.org. 3574IN  DS  40396 5 2 
94E9380BA08A219B09D754C922A920B7DC57FBC01D718195A4B9C3B3 EBE350EE
ftp.debian.org. 3574IN  DS  40396 5 1 
A32112A2E98C1AD75745609F9B7313B4DE95380B
ftp.debian.org. 3574IN  RRSIG   DS 7 3 3600 20110111224900 
20101214224900 42257 debian.org. 
iHNV5yTqrC8hShWErV90NwXGxQXBbWarj/7+UYpSg6NDqjX0CFXf8J21 
x1B/YvhxDkUHpPwrq/YLhvVlx4E9mCvXqklyQsmmktQT4vU72qudJoJ7 
cVCrwyUoFwWWtdvdJ1lwyjk/SXhOIHmzjexESUF/sHOT4rnrmmyhfRXp 
A1Ab8DfnbxoxTNvVZ/fjxDid

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 20 13:44:19 2010
;; MSG SIZE  rcvd: 313


>   dig +cd +dnssec ftp.debian.org DNSKEY

; <<>> DiG 9.6-ESV-R3 <<>> +cd +dnssec ftp.debian.org DNSKEY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57772
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ftp.debian.org.IN  DNSKEY

;; ANSWER SECTION:
ftp.debian.org. 28800   IN  DNSKEY  256 3 5 
AwEAAbKb7JLMdZbv5Ao/WndIcKiSajrEOzDggGF4JZGhkB/KD74sdZP4 
Stx47dJqUCOoA2ULnN3vtovBZbUdOkTFi2cSNuyzt6r4WnSmSi+iVtth 
4yTroUSirmT3dSQYU6Ouz6XhtqmwSL6kO94GHSg0rOYr2qDd0lu3uqs8 
gOCt+H3WHb1R+kl6yvFT1eb7cbmknQ==
ftp.debian.org. 28800   IN  DNSKEY  256 3 5 
AwEAAd2Q5QHO6rL3wGJET0d5foLUwiEZwXpRodq7j+70fKBTL5jEl6AB 
xpnt/zUHm62u1sYyDhv/mtB0q6cUKm6EnQ03WTiUU2n656fdjtaC+71D 
2B8KYv4uVHxVya5lEaxIklGLJvSnPwClkClanrCeCf0ALqfC74nOAZzy 
sWJ4iDfIth4DX9gcRrNf7lwcShr+Vw==
ftp.debian.org. 28800   IN  DNSKEY  257 3 5 
AwEAAanX1lSBuFPJX67wvJVJ81hkv1bV1BiqojH3pwdkxusxthvaLbGE 
bHWO4n3uY1gBhYw6ycRpyAUbjLE1NySzjpvfJY5KrLVPh1F89jyo9l16 
nlevXODge/Y5+Q0lOZhNhTDkt+c/Xvf0WfnkWZZVYY3SAZpZP5FBdkpI 
idbyXKMF63JYkYoRSC5gaURYRy6NwJrhUXTRDPPRC0sf7sw1ganNodDy 
6P7KqrWXdUOMBgFfHyQN3BmWjMRVdiY9N2+BnQ==
ftp.debian.org. 28800   IN  RRSIG   DNSKEY 5 3 28800 20110110133902 
20101213133902 9783 ftp.debian.org. 
v0ug+Kxv8QeSHZg7doZQUnsbKrAnuegSGX+Nfe7BmezONMyXXnbH8TC/ 
CCw3qQBBSltEJY1ytyvicfQnCaHXDc1vDvR9e6kzjoFFJxnSpNKsZXkh 
HtTSuO9RwmwWHQocpv06AOcRL2HeNl6hQcRh+28HGq3bgWveuRASEgKD 
u9eHCuQqtSrk97ymRJzNArON
ftp.debian.org. 28800   IN  RRSIG   DNSKEY 5 3 28800 20110110133902 
20101213133902 40396 ftp.debian.org. 
FenuaVpG8s5hjyRdyEmcAzXA/JtGsF7V1LqZeQZJ8pwlB6gidgCAUXDW 
wGjZBzzJl48LklxrSxyZDxdtN99/7lbDFgIEsmN5MabeQz6WCP2GBFq6 
A/nQJzLpPnZTqhw5pgfqTCjEyvOEVembqrEX4nU7QzeuYON0p6Y2I49Z 
PHpurX20dxW7DoLtXjeduUF0uTFVk6ToKt4SOpWcUF3syUeoyLzza7S1 
7VaeqLdi0L0u2CE907HQZKP1m3KaFWWN

;; Query time: 245 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 20 13:44:45 2010
;; MSG SIZE  rcvd: 1011


>   dig +cd +dnssec ftp.debian.org A

; <<>> DiG 9.6-ESV-R3 <<>> +cd +dnssec ftp.debian.org A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11161
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ftp.debian.org.IN  A

;; ANSWER SECTION:
ftp.debian.org. 300 IN  A   130.89.149.226
ftp.debian.org. 300 IN  RRSIG   A 5 3 300 20110110133902 
20101213133902 9783 ftp.debian.org. 
GiKr7xnrmvBIdRT5VYxHWXzMae9KhHo09Qyx1+l5l4YNbpIiUw3aIkGp 
MOjsyETYy6hGVontU14me77sUChtI8tzGg11w9YKJopM46rplnTINpX+ 
U+ZVFIJtWaAyvLkmzPG3iZ8worZsWNEyShsqfl3lYqGl4Ma4jDPJDeHB 
KRdZFsIu5DPns153XwHmsvCw

;; AUTHORITY SECTION:
ftp.debian.org. 3580IN  NS  geo3.debian.org.
ftp.debian.org. 3580IN  NS  geo2.debian.org.
ftp.debian.org. 3580IN  NS  geo1.debian.org.
ftp.debian.org. 3600IN  RRSIG   NS 5 3 3600 20110110133902 
20101213133902 9783 ftp.debian.org. 
w/Tl/57AtBttNFpfNlC5uWm2sSJfcmppkY085gxdCfJ+Xngf9AHoYwpv 
+G5sCo0WUXcEnqLt1Dkox14n5iCt2YukV9k43nIWo1baUTjllWM8vijk 
r3wYDom+KDEFN+9haU7e618jo2f9Gw9wyJDX4FZpepkk7EwjqwB1sZeU 
nAIcWVM+FsdJfWPeIuo/a0m6

;; Query time: 62 msec
;; SER

Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

2010-12-18 Thread Florian Weimer 
* Heiko Schlittermann:

> Could this somehow trigger this (unexpected) behaviour of a failing
> validation? But why does it work for somebody (anybody?) else using this
> version of bind? (output of the CHAOS version.bind query: "9.6-ESV-R3")

Obviously, it works for me, in quite a similar setup (consumer
Internet from Deutsche Telekom, among other things).

Can you show us the output from:

  dig +cd +dnssec ftp.debian.org DS
  dig +cd +dnssec ftp.debian.org DNSKEY
  dig +cd +dnssec ftp.debian.org A
  dig +cd +dnssec debian.org DNSKEY

?  I suspect you've got problems validating the ftp.debian.org DNSKEY
RRset for some reason.


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87fwtuizjs@mid.deneb.enyo.de

Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

2010-12-15 Thread Heiko Schlittermann 
Peter Palfrader  (Mi 15 Dez 2010 21:22:36 CET):
> On Tue, 14 Dec 2010, Heiko Schlittermann wrote:
> 
> > before filing a bug report I'd like to ask here, since I'd expect some
> > experts here :-)
> > 
> > Using a current lenny with bind9 I can't validate (www|ftp).debian.org
> > anymore. Is anybody else experiencing this problem?
> > 
> > not working: 1:9.6.ESV.R3+dfsg-0+lenny1 
> > working: 1:9.6.ESV.R1+dfsg-0+lenny2
> > working: 1:9.7.2.dfsg.P3-1
> 
> 
> I just downgraded my 9.7.2.dfsg.P3-1~bpo50+1 to 9.6.ESV.R3+dfsg-0+lenny1
> and indeed, I can no longer resolve anything delegated from debian.org.

Does one of the bind9 maintainers listen here?

-- 
Heiko :: dresden : linux : SCHLITTERMANN.de
GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B


signature.asc
Description: Digital signature

Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

2010-12-15 Thread Peter Palfrader 
On Tue, 14 Dec 2010, Heiko Schlittermann wrote:

> before filing a bug report I'd like to ask here, since I'd expect some
> experts here :-)
> 
> Using a current lenny with bind9 I can't validate (www|ftp).debian.org
> anymore. Is anybody else experiencing this problem?
> 
> not working: 1:9.6.ESV.R3+dfsg-0+lenny1 
> working: 1:9.6.ESV.R1+dfsg-0+lenny2
> working: 1:9.7.2.dfsg.P3-1


I just downgraded my 9.7.2.dfsg.P3-1~bpo50+1 to 9.6.ESV.R3+dfsg-0+lenny1
and indeed, I can no longer resolve anything delegated from debian.org.

I wonder what's up with that.

-- 
   |  .''`.  ** Debian GNU/Linux **
  Peter Palfrader  | : :' :  The  universal
 http://www.palfrader.org/ | `. `'  Operating System
   |   `-http://www.debian.org/


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20101215202236.gr30...@anguilla.noreply.org

Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

2010-12-14 Thread Heiko Schlittermann 
> Heiko Schlittermann  (Di 14 Dez 2010 20:40:47 CET):
> > Peter Palfrader  (Di 14 Dez 2010 20:31:46 CET):
> > > On Tue, 14 Dec 2010, Heiko Schlittermann wrote:
> > > 
> > > > Peter Palfrader  (Di 14 Dez 2010 18:42:49 CET):
> > > > > On Tue, 14 Dec 2010, Heiko Schlittermann wrote:
> > > > > 
> > > > > > Using a current lenny with bind9 I can't validate 
> > > > > > (www|ftp).debian.org
> > > > > > anymore. Is anybody else experiencing this problem?
> > > > > > 
> > > > > > 
> > > > > > not working: 1:9.6.ESV.R3+dfsg-0+lenny1 
> > > > > > working: 1:9.6.ESV.R1+dfsg-0+lenny2
> > > > > > working: 1:9.7.2.dfsg.P3-1
> > > > > > 
> > > > > > ftp.debian.org seems to use DLV. Other domains using DLV validate.
> > > > > 
> > > > > Does a normal host validate?  Say for instance kassia.debian.org.
> > > > 
> > > > Yes, it does.
> > > 
> > > Are you on IPv6?
> > 
> > What is IPv6?
> > No, I'm not on IPv6 and even running bind with the "-4" option.


Here comes the output of a trace (level 3 I think), note marked line:

14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: starting
14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: looking 
for DLV
14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: plain 
DNSSEC returns unsecure (.): looking for DLV
14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: looking 
for DLV ftp.debian.org.dlv.isc.org
14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: looking 
for DLV debian.org.dlv.isc.org
14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: DLV 
debian.org found
14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: 
dlv_validator_start
14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: 
restarting using DLV
14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: 
attempting positive response validation
14-Dec-2010 22:13:09.193   validating @0xb90cb070: ftp.debian.org DNSKEY: 
starting
14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: 
attempting positive response validation
14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: 
not beneath secure root
14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: 
plain DNSSEC returns unsecure (.): looking for DLV
14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: 
looking for DLV ftp.debian.org.dlv.isc.org
14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: 
looking for DLV debian.org.dlv.isc.org
14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: 
DLV debian.org found
14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: 
dlv_validator_start
14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: 
restarting using DLV
14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: 
attempting positive response validation
14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: 
not beneath secure root
14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: 
marking as answer (validatezonekey (1))
14-Dec-2010 22:13:09.194   validator @0xb90cb070: dns_validator_destroy
14-Dec-2010 22:13:09.194 validating @0xb90c65d8: ftp.debian.org A: in 
keyvalidated
14-Dec-2010 22:13:09.194 validating @0xb90c65d8: ftp.debian.org A: keyset 
with trust 5
14-Dec-2010 22:13:09.194 validating @0xb90c65d8: ftp.debian.org A: resuming 
validate
14-Dec-2010 22:13:09.194 validating @0xb90c65d8: ftp.debian.org A: no valid 
signature found
14-Dec-2010 22:13:09.195 validating @0xb90c65d8: ftp.debian.org A: falling 
back to insecurity proof
*   14-Dec-2010 22:13:09.195 validating @0xb90c65d8: ftp.debian.org A: checking 
existence of DS at 'ftp.debian.org'
14-Dec-2010 22:13:09.195 validating @0xb90c65d8: ftp.debian.org A: 
insecurity proof failed
14-Dec-2010 22:13:09.195 fctx 0xb487e008(ftp.debian.org/A'): received 
validation completion event
14-Dec-2010 22:13:09.195 validator @0xb90c65d8: dns_validator_destroy
14-Dec-2010 22:13:09.195 fctx 0xb487e008(ftp.debian.org/A'): validation 
failed
14-Dec-2010 22:13:09.195 fctx 0xb487e008(ftp.debian.org/A'): add_bad
14-Dec-2010 22:13:09.195 no valid RRSIG resolving 'ftp.debian.org/A/IN': 
82.195.75.105#53


A DS record is found.  Why? since ftp.debian.org is a zone on its own.
The other working plain names (the name has just an A record) are
working and do not own a DS key.

Could this somehow trigger this (unexpected) behaviour of a failing
validation? But why does it work for somebody (anybody?) else using this
version of bind? (output of the CHAOS version.bind query: "9.6-ESV-R3")


-- 
Heiko :: dresden : linux : SCHLITTERMANN.de
GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B



signature.asc
Description: Digital signa

Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

2010-12-14 Thread Heiko Schlittermann 
Heiko Schlittermann  (Di 14 Dez 2010 20:40:47 CET):
> Peter Palfrader  (Di 14 Dez 2010 20:31:46 CET):
> > On Tue, 14 Dec 2010, Heiko Schlittermann wrote:
> > 
> > > Peter Palfrader  (Di 14 Dez 2010 18:42:49 CET):
> > > > On Tue, 14 Dec 2010, Heiko Schlittermann wrote:
> > > > 
> > > > > Using a current lenny with bind9 I can't validate (www|ftp).debian.org
> > > > > anymore. Is anybody else experiencing this problem?
> > > > > 
> > > > > 
> > > > > not working: 1:9.6.ESV.R3+dfsg-0+lenny1 
> > > > > working: 1:9.6.ESV.R1+dfsg-0+lenny2
> > > > > working: 1:9.7.2.dfsg.P3-1
> > > > > 
> > > > > 
> > > > > ftp.debian.org seems to use DLV. Other domains using DLV validate.
> > > > 
> > > > Does a normal host validate?  Say for instance kassia.debian.org.
> > > 
> > > Yes, it does.
> > 
> > Are you on IPv6?
> 
> What is IPv6?
> No, I'm not on IPv6 and even running bind with the "-4" option.

syslog:
Dec 14 21:19:36 muli3 named[32237]: validating @0xb90beb28: ftp.debian.org A: 
no valid signature found
Dec 14 21:19:36 muli3 named[32237]: not insecure resolving 
'ftp.debian.org/A/IN': 206.12.19.113#53
Dec 14 21:19:36 muli3 named[32237]: validating @0xb90beb28: ftp.debian.org A: 
no valid signature found
Dec 14 21:19:36 muli3 named[32237]: no valid RRSIG resolving 
'ftp.debian.org/A/IN': 82.195.75.105#53
Dec 14 21:19:36 muli3 named[32237]: validating @0xb90beb28: ftp.debian.org A: 
no valid signature found
Dec 14 21:19:36 muli3 named[32237]: no valid RRSIG resolving 
'ftp.debian.org/A/IN': 195.20.242.125#53

Somehow it seems to dislike to accept the DLV key?

-- 
Heiko :: dresden : linux : SCHLITTERMANN.de
GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B


signature.asc
Description: Digital signature

Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

2010-12-14 Thread Heiko Schlittermann 
Peter Palfrader  (Di 14 Dez 2010 20:31:46 CET):
> On Tue, 14 Dec 2010, Heiko Schlittermann wrote:
> 
> > Peter Palfrader  (Di 14 Dez 2010 18:42:49 CET):
> > > On Tue, 14 Dec 2010, Heiko Schlittermann wrote:
> > > 
> > > > Using a current lenny with bind9 I can't validate (www|ftp).debian.org
> > > > anymore. Is anybody else experiencing this problem?
> > > > 
> > > > 
> > > > not working: 1:9.6.ESV.R3+dfsg-0+lenny1 
> > > > working: 1:9.6.ESV.R1+dfsg-0+lenny2
> > > > working: 1:9.7.2.dfsg.P3-1
> > > > 
> > > > 
> > > > ftp.debian.org seems to use DLV. Other domains using DLV validate.
> > > 
> > > Does a normal host validate?  Say for instance kassia.debian.org.
> > 
> > Yes, it does.
> 
> Are you on IPv6?

What is IPv6?
No, I'm not on IPv6 and even running bind with the "-4" option.

-- 
Heiko :: dresden : linux : SCHLITTERMANN.de
GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B


signature.asc
Description: Digital signature

Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

2010-12-14 Thread Peter Palfrader 
On Tue, 14 Dec 2010, Heiko Schlittermann wrote:

> Peter Palfrader  (Di 14 Dez 2010 18:42:49 CET):
> > On Tue, 14 Dec 2010, Heiko Schlittermann wrote:
> > 
> > > Using a current lenny with bind9 I can't validate (www|ftp).debian.org
> > > anymore. Is anybody else experiencing this problem?
> > > 
> > > 
> > > not working: 1:9.6.ESV.R3+dfsg-0+lenny1 
> > > working: 1:9.6.ESV.R1+dfsg-0+lenny2
> > > working: 1:9.7.2.dfsg.P3-1
> > > 
> > > 
> > > ftp.debian.org seems to use DLV. Other domains using DLV validate.
> > 
> > Does a normal host validate?  Say for instance kassia.debian.org.
> 
> Yes, it does.

Are you on IPv6?

-- 
   |  .''`.  ** Debian GNU/Linux **
  Peter Palfrader  | : :' :  The  universal
 http://www.palfrader.org/ | `. `'  Operating System
   |   `-http://www.debian.org/


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20101214193146.gm30...@anguilla.noreply.org

Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

2010-12-14 Thread Heiko Schlittermann 
Peter Palfrader  (Di 14 Dez 2010 18:42:49 CET):
> On Tue, 14 Dec 2010, Heiko Schlittermann wrote:
> 
> > Using a current lenny with bind9 I can't validate (www|ftp).debian.org
> > anymore. Is anybody else experiencing this problem?
> > 
> > 
> > not working: 1:9.6.ESV.R3+dfsg-0+lenny1 
> > working: 1:9.6.ESV.R1+dfsg-0+lenny2
> > working: 1:9.7.2.dfsg.P3-1
> > 
> > 
> > ftp.debian.org seems to use DLV. Other domains using DLV validate.
> 
> Does a normal host validate?  Say for instance kassia.debian.org.

Yes, it does.

-- 
Heiko


signature.asc
Description: Digital signature

Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

2010-12-14 Thread Peter Palfrader 
On Tue, 14 Dec 2010, Heiko Schlittermann wrote:

> Using a current lenny with bind9 I can't validate (www|ftp).debian.org
> anymore. Is anybody else experiencing this problem?
> 
> 
> not working: 1:9.6.ESV.R3+dfsg-0+lenny1 
> working: 1:9.6.ESV.R1+dfsg-0+lenny2
> working: 1:9.7.2.dfsg.P3-1
> 
> 
> ftp.debian.org seems to use DLV. Other domains using DLV validate.

Does a normal host validate?  Say for instance kassia.debian.org.

Cheers,
-- 
   |  .''`.  ** Debian GNU/Linux **
  Peter Palfrader  | : :' :  The  universal
 http://www.palfrader.org/ | `. `'  Operating System
   |   `-http://www.debian.org/


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20101214174249.gi30...@anguilla.noreply.org

Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

2010-12-14 Thread Heiko Schlittermann 
Stephane Bortzmeyer  (Di 14 Dez 2010 16:15:56 CET):
> On Tue, Dec 14, 2010 at 04:11:01PM +0100,
>  Heiko Schlittermann  wrote 
>  a message of 65 lines which said:
> 
> > > Expired signature ket in the cache, may be? It ends at
> > > 2010-12-14T09:48Z, which was several hours ago.
> > 
> > Sure? I'd say the signature expires 20110111094829 and was created
> > 20101214094829.
> 
> Yes. You're right. Reply too fast and coffee too late. Sorry.

OK, but the question remains, what's going on here… Who is wrong?
Unfortunely nobody else responded. And on a DENIC DNSSEC mailing list I
got only vague clues too. There I (too fast?) wrote, it solved, since I
was able to reproduce it changing the bind versions.

BTW, this issue we have on two independent machines, both running a
recent lenny. One system is connected via T-Online, the other one has a
"real" uplink.

Both systems do not use any forwarder (they know about).

-- 
Heiko :: dresden : linux : SCHLITTERMAN.de
GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B


signature.asc
Description: Digital signature

Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

2010-12-14 Thread Stephane Bortzmeyer 
On Tue, Dec 14, 2010 at 04:11:01PM +0100,
 Heiko Schlittermann  wrote 
 a message of 65 lines which said:

> > Expired signature ket in the cache, may be? It ends at
> > 2010-12-14T09:48Z, which was several hours ago.
> 
> Sure? I'd say the signature expires 20110111094829 and was created
> 20101214094829.

Yes. You're right. Reply too fast and coffee too late. Sorry.


signature.asc
Description: Digital signature

Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

2010-12-14 Thread Heiko Schlittermann 
Stephane Bortzmeyer  (Di 14 Dez 2010 14:48:53 CET):
> On Tue, Dec 14, 2010 at 02:43:38PM +0100,
>  Heiko Schlittermann  wrote 
>  a message of 134 lines which said:
> 
> > With checking disabled:
> > # dig www.debian.org +cd +dnssec @192.168.0.1
> ...
> > www.debian.org. 132 IN  RRSIG   A 5 3 300 
> > 20110111094829 20101214094829 38208 www.debian.org. 
> > AR+irfLzNRWYgbJwp4Nf6M1o3xpANStnSMNQ7iechFhX9YdDUgx7vHLl 
> > 4/mjM6RbyHJiCyz5supU4ubuWT5QxjvG6IE/HgoimiEjq4XsP7ANSEdF 
> > 1B3y270gBxn+tO2ZDfNwLdob9k3AXJnyOVUq9cPVaa8ZcNZ8rhJ04JLF 
> > 3i3E9AphlUywmQPTNTCEtOoV
> 
> Expired signature ket in the cache, may be? It ends at
> 2010-12-14T09:48Z, which was several hours ago.

Sure? I'd say the signature expires 20110111094829 and was created
20101214094829. BTW expired sigs are logged as such, I think.

[But I'm fare away from beeing a DNS(SEC) expert!]

>  
> > ;; WHEN: Tue Dec 14 14:38:22 2010
> 
> What time zone? If it is german time, UTC+1, yes, the problem was an
> expired signature.

But why is the behaviour reproducable changing the bind versions back
and forth?

bind was restarted several times. I'd think, everything bind caches, is
in memory. Files are used for secondary zone data only.
dnssec-accept-expired is set to "yes" already.

-- 
Heiko :: dresden : linux : SCHLITTERMAN.de
GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B


signature.asc
Description: Digital signature

Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

2010-12-14 Thread Stephane Bortzmeyer 
On Tue, Dec 14, 2010 at 02:43:38PM +0100,
 Heiko Schlittermann  wrote 
 a message of 134 lines which said:

> With checking disabled:
> # dig www.debian.org +cd +dnssec @192.168.0.1
...
> www.debian.org.   132 IN  RRSIG   A 5 3 300 
> 20110111094829 20101214094829 38208 www.debian.org. 
> AR+irfLzNRWYgbJwp4Nf6M1o3xpANStnSMNQ7iechFhX9YdDUgx7vHLl 
> 4/mjM6RbyHJiCyz5supU4ubuWT5QxjvG6IE/HgoimiEjq4XsP7ANSEdF 
> 1B3y270gBxn+tO2ZDfNwLdob9k3AXJnyOVUq9cPVaa8ZcNZ8rhJ04JLF 
> 3i3E9AphlUywmQPTNTCEtOoV

Expired signature ket in the cache, may be? It ends at
2010-12-14T09:48Z, which was several hours ago.
 
> ;; WHEN: Tue Dec 14 14:38:22 2010

What time zone? If it is german time, UTC+1, yes, the problem was an
expired signature.


signature.asc
Description: Digital signature

Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

2010-12-14 Thread Heiko Schlittermann 
Stephane Bortzmeyer  (Di 14 Dez 2010 14:26:18 CET):
> On Tue, Dec 14, 2010 at 02:18:44PM +0100,
>  Heiko Schlittermann  wrote 
>  a message of 46 lines which said:
> 
> > Using a current lenny with bind9 I can't validate (www|ftp).debian.org
> > anymore. 
> 
> Works for me (BIND on a lenny using dlv.isc.org). Note the ad bit:
> 
> % dig +dnssec A www.debian.org 
> 
> ; <<>> DiG 9.6-ESV-R3 <<>> +dnssec A www.debian.org
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12253
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 13
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;www.debian.org.IN  A
> 
> ;; ANSWER SECTION:
> www.debian.org. 300 IN  A   141.76.2.5
> www.debian.org. 300 IN  A   213.129.232.18
> www.debian.org. 300 IN  RRSIG   A 5 3 300 20110111094829 
> 20101214094829 38208 www.debian.org. 
> AR+irfLzNRWYgbJwp4Nf6M1o3xpANStnSMNQ7iechFhX9YdDUgx7vHLl 
> 4/mjM6RbyHJiCyz5supU4ubuWT5QxjvG6IE/HgoimiEjq4XsP7ANSEdF 
> 1B3y270gBxn+tO2ZDfNwLdob9k3AXJnyOVUq9cPVaa8ZcNZ8rhJ04JLF 
> 3i3E9AphlUywmQPTNTCEtOoV
> 
> What is the output of 'dig +cd +dnssec www.debian.org' on your case?

# dig www.debian.org +dnssec @192.168.0.1

; <<>> DiG 9.7.1-P2 <<>> www.debian.org +dnssec @192.168.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49087
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.debian.org.IN  A

;; Query time: 341 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Tue Dec 14 14:40:12 2010
;; MSG SIZE  rcvd: 43

The excuse in the servers syslog:

Dec 14 14:40:11 muli3 named[14985]: validating @0xb98d51b0: www.debian.org 
A: no valid signature found
Dec 14 14:40:11 muli3 named[14985]: no valid RRSIG resolving 
'www.debian.org/A/IN': 195.20.242.125#53
Dec 14 14:40:11 muli3 named[14985]: validating @0xb98d51b0: www.debian.org 
A: no valid signature found
Dec 14 14:40:11 muli3 named[14985]: no valid RRSIG resolving 
'www.debian.org/A/IN': 82.195.75.105#53
Dec 14 14:40:11 muli3 named[14985]: validating @0xb98d51b0: www.debian.org 
A: no valid signature found
Dec 14 14:40:11 muli3 named[14985]: no valid RRSIG resolving 
'www.debian.org/A/IN': 206.12.19.113#53


With checking disabled:
# dig www.debian.org +cd +dnssec @192.168.0.1

; <<>> DiG 9.7.1-P2 <<>> www.debian.org +cd +dnssec @192.168.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14886
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 13

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.debian.org.IN  A

;; ANSWER SECTION:
www.debian.org. 132 IN  A   213.129.232.18
www.debian.org. 132 IN  A   141.76.2.5
www.debian.org. 132 IN  RRSIG   A 5 3 300 
20110111094829 20101214094829 38208 www.debian.org. 
AR+irfLzNRWYgbJwp4Nf6M1o3xpANStnSMNQ7iechFhX9YdDUgx7vHLl 
4/mjM6RbyHJiCyz5supU4ubuWT5QxjvG6IE/HgoimiEjq4XsP7ANSEdF 
1B3y270gBxn+tO2ZDfNwLdob9k3AXJnyOVUq9cPVaa8ZcNZ8rhJ04JLF 
3i3E9AphlUywmQPTNTCEtOoV



;; Query time: 28 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Tue Dec 14 14:38:22 2010
;; MSG SIZE  rcvd: 1760


When I'm validating myself (dig +sigchase …) using the DNSKEY found for
debian.org, I can validate the answers (tested for ftp, but expect the
same for www).


-- 
Heiko :: dresden : linux : SCHLITTERMAN.de
GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B


signature.asc
Description: Digital signature

Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

2010-12-14 Thread Stephane Bortzmeyer 
On Tue, Dec 14, 2010 at 02:18:44PM +0100,
 Heiko Schlittermann  wrote 
 a message of 46 lines which said:

> Using a current lenny with bind9 I can't validate (www|ftp).debian.org
> anymore. 

Works for me (BIND on a lenny using dlv.isc.org). Note the ad bit:

% dig +dnssec A www.debian.org 

; <<>> DiG 9.6-ESV-R3 <<>> +dnssec A www.debian.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12253
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 13

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.debian.org.IN  A

;; ANSWER SECTION:
www.debian.org. 300 IN  A   141.76.2.5
www.debian.org. 300 IN  A   213.129.232.18
www.debian.org. 300 IN  RRSIG   A 5 3 300 20110111094829 
20101214094829 38208 www.debian.org. 
AR+irfLzNRWYgbJwp4Nf6M1o3xpANStnSMNQ7iechFhX9YdDUgx7vHLl 
4/mjM6RbyHJiCyz5supU4ubuWT5QxjvG6IE/HgoimiEjq4XsP7ANSEdF 
1B3y270gBxn+tO2ZDfNwLdob9k3AXJnyOVUq9cPVaa8ZcNZ8rhJ04JLF 
3i3E9AphlUywmQPTNTCEtOoV

What is the output of 'dig +cd +dnssec www.debian.org' on your case?


signature.asc
Description: Digital signature

Anybody else having problems w/ DNSSEC and ftp.debian.org?

2010-12-14 Thread Heiko Schlittermann 
Hello,

before filing a bug report I'd like to ask here, since I'd expect some
experts here :-)

Using a current lenny with bind9 I can't validate (www|ftp).debian.org
anymore. Is anybody else experiencing this problem?


not working: 1:9.6.ESV.R3+dfsg-0+lenny1 
working: 1:9.6.ESV.R1+dfsg-0+lenny2
working: 1:9.7.2.dfsg.P3-1


ftp.debian.org seems to use DLV. Other domains using DLV validate.

-- 
Heiko :: dresden : linux : SCHLITTERMAN.de
GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B


signature.asc
Description: Digital signature