[Bug 1406729] Re: dig does not have a default trusted key
I vote no, if someone is setting up or testing DNSSEC, let's not encourage them to use a broken dig option! I tried using the following command and dig core dumped. Note: www is setup as a CNAME. dig +trusted-key=trusted-key.key +topdown +sigchase +multiline -ta www.tuxedo.net I was wondering if I had done something wrong with DNSSEC... But other tools show (I think) it looks ok. drill -TD -k ../trusted-key.key www.tuxedo.net # See footnote 1 http://dnsviz.net/d/www.tuxedo.net/dnssec/ And some more digging and I found: The option is not compiled in by default upstream because it is broken. See: https://lists.isc.org/pipermail/bind-users/2012-May/087779.html https://lists.isc.org/pipermail/bind-users/2012-May/087781.html dig +trusted-key=trusted-key.key +topdown +sigchase +multiline -ta com ... ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for com. with DNSKEY:30909: success ;; We are in a Grand Father Problem: See 2.2.1 in RFC 3568 ;; ERROR : com. is not a subdomain of: com. FAILED name.c:2151: REQUIRE(source-length 0) failed, back trace #0 0x7f1a1cda5954 in ?? #1 0x7f1a1cda58ba in ?? #2 0x7f1a1d4a7bdc in ?? #3 0x7f1a1dc45f72 in ?? #4 0x7f1a1dc48397 in ?? #5 0x7f1a1dc4a3d2 in ?? #6 0x7f1a1cdc7af6 in ?? #7 0x7f1a1cb80182 in ?? #8 0x7f1a1c8acefd in ?? Aborted (core dumped) I also compiled bind-9.9.6-P1 to test if it was fixed in a newer release, and it is still broken. Footnote 1: Note drill is currently part of ldnsutils package and not unbound. https://www.nlnetlabs.nl/projects/drill/ -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/1406729 Title: dig does not have a default trusted key To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1406729/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1406729] Re: dig does not have a default trusted key
I vote no, if someone is setting up or testing DNSSEC, let's not encourage them to use a broken dig option! I tried using the following command and dig core dumped. Note: www is setup as a CNAME. dig +trusted-key=trusted-key.key +topdown +sigchase +multiline -ta www.tuxedo.net I was wondering if I had done something wrong with DNSSEC... But other tools show (I think) it looks ok. drill -TD -k ../trusted-key.key www.tuxedo.net # See footnote 1 http://dnsviz.net/d/www.tuxedo.net/dnssec/ And some more digging and I found: The option is not compiled in by default upstream because it is broken. See: https://lists.isc.org/pipermail/bind-users/2012-May/087779.html https://lists.isc.org/pipermail/bind-users/2012-May/087781.html dig +trusted-key=trusted-key.key +topdown +sigchase +multiline -ta com ... ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for com. with DNSKEY:30909: success ;; We are in a Grand Father Problem: See 2.2.1 in RFC 3568 ;; ERROR : com. is not a subdomain of: com. FAILED name.c:2151: REQUIRE(source-length 0) failed, back trace #0 0x7f1a1cda5954 in ?? #1 0x7f1a1cda58ba in ?? #2 0x7f1a1d4a7bdc in ?? #3 0x7f1a1dc45f72 in ?? #4 0x7f1a1dc48397 in ?? #5 0x7f1a1dc4a3d2 in ?? #6 0x7f1a1cdc7af6 in ?? #7 0x7f1a1cb80182 in ?? #8 0x7f1a1c8acefd in ?? Aborted (core dumped) I also compiled bind-9.9.6-P1 to test if it was fixed in a newer release, and it is still broken. Footnote 1: Note drill is currently part of ldnsutils package and not unbound. https://www.nlnetlabs.nl/projects/drill/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1406729 Title: dig does not have a default trusted key To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1406729/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1406729] Re: dig does not have a default trusted key
I can confirm this for Vivid's 9.9.5.dfsg-6ubuntu1 package. Not convinced either way in regards to whatever Ubuntu should distribute a /etc/trusted-key.key file. (Not my call either.) ** Changed in: bind9 (Ubuntu) Importance: Undecided = Wishlist ** Changed in: bind9 (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/1406729 Title: dig does not have a default trusted key To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1406729/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1406729] Re: dig does not have a default trusted key
Considering that the 'bind9' package ships the root key (in /etc/bind/bind.keys), I see no reason why it should not also be shipped in the dnsutils package as well. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/1406729 Title: dig does not have a default trusted key To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1406729/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1406729] Re: dig does not have a default trusted key
I can confirm this for Vivid's 9.9.5.dfsg-6ubuntu1 package. Not convinced either way in regards to whatever Ubuntu should distribute a /etc/trusted-key.key file. (Not my call either.) ** Changed in: bind9 (Ubuntu) Importance: Undecided = Wishlist ** Changed in: bind9 (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1406729 Title: dig does not have a default trusted key To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1406729/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1406729] Re: dig does not have a default trusted key
Considering that the 'bind9' package ships the root key (in /etc/bind/bind.keys), I see no reason why it should not also be shipped in the dnsutils package as well. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1406729 Title: dig does not have a default trusted key To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1406729/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs