Hello, I am trying to use delv (version 19.8.2 on Ubuntu 0.22.04) to troubleshoot using a custom trust anchor. However, I am getting very strange results from delv. The short of it is, I must point delv at another validating resolver (such as @8.8.8.8) for the custom trust anchors (-a) to work.
First, I use the correct trust anchor (right.key), I query twice, with and without @8.8.8.8: $ *cat right.key* trust-anchors { . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU="; }; *$ delv -a right.key www.example.com <http://www.example.com>. A*;; broken trust chain resolving 'www.example.com/A/IN': 127.0.0.53#53 ;; resolution failed: broken trust chain *$ delv -a right.key www.example.com <http://www.example.com>. A @8.8.8.8 <http://8.8.8.8>*; fully validated www.example.com. 10545 IN A 93.184.216.34 www.example.com. 10545 IN RRSIG A 13 3 86400 20230626193619 20230605194008 44029 example.com. grjd2rY82fZuYxz3laDCQKu2ZbcOmy4/eApedHRVFsMGOGwmLJ3FU08D 2dr4BWtpVm12HAgyt0euyGCcQLDErg== Then, I tested it with a purposely misconfigured key. Again, two queries, with and without @8.8.8.8: *$ cat wrong.key* trust-anchors { . initial-key 257 3 8 "AwEAAcxpNx7yHa+8KpYjdi8wPJw8cXusWGo2deQsPANOJFDhF4Dx2NTrEjvIDMGymLpXLSj7PpAzbhBwcKMQ/WEUprTl7Dfn26HYXFl3K0U4AahZO99seYkQao82n21VkfjguSv1SXmzerrwsGXP91CncXJ7Apz8wieJDLe3u4gA/DkqvjeCtE+sf+DcSqalnKgY6TWmKFX0VPPL2W3TXwLHyfVh5AWV2mGpugJ4YUoqtmDgXwOjUvkZDxQFsliE/iYc1S9tYVD40fbfL3l8vRXoVfListNNQBKh7oDXpPKEXgOn5kl8V05hcG1LAbB0jtOtPdgs+BJ+3WN0o2q+PSo9QVE="; }; *$ delv -a wrong.key www.example.com <http://www.example.com>. A*;; broken trust chain resolving 'www.example.com/A/IN': 127.0.0.53#53 ;; resolution failed: broken trust chain *$ delv -a wrong.key www.example.com <http://www.example.com>. A @8.8.8.8 <http://8.8.8.8>*;; validating ./DNSKEY: no valid signature found (DS) ;; no valid RRSIG resolving './DNSKEY/IN': 8.8.8.8#53 ;; broken trust chain resolving 'com/DS/IN': 8.8.8.8#53 ;; broken trust chain resolving 'com/DNSKEY/IN': 8.8.8.8#53 ;; broken trust chain resolving 'example.com/DS/IN': 8.8.8.8#53 ;; broken trust chain resolving 'example.com/DNSKEY/IN': 8.8.8.8#53 ;; broken trust chain resolving 'www.example.com/A/IN': 8.8.8.8#53 ;; resolution failed: broken trust chain This has me scratching my head... I know delv is capable of acting as a validating resolver. And I want it to. What am I doing wrong? What other information can I provide? +vtrace? A note about why I am doing this seemingly pointless exercise: Back in 2018/2019 during the first root key rollover, several others experienced the issue where the trust anchor on their validating resolver(s) did not change, resulting in SERVFAIL. Not everyone has access to the validating resolver's configuration, in fact, some of them had to prove to their ISP or whoever is running the validating resolver that it's the trust anchor that needs to be updated. This is an exercise that I am planning to teach others, so when/if this happens again the next time the root key rolls, they know how to use delv to produce evidence to show their DNS administrators to update the trust anchor. Thanks in advance. -Josh
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users