Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

Heiko Schlittermann Tue, 14 Dec 2010 13:25:34 -0800

> Heiko Schlittermann <h...@schlittermann.de> (Di 14 Dez 2010 20:40:47 CET):
> > Peter Palfrader <wea...@debian.org> (Di 14 Dez 2010 20:31:46 CET):
> > > On Tue, 14 Dec 2010, Heiko Schlittermann wrote:
> > > 
> > > > Peter Palfrader <wea...@debian.org> (Di 14 Dez 2010 18:42:49 CET):
> > > > > On Tue, 14 Dec 2010, Heiko Schlittermann wrote:
> > > > > 
> > > > > > Using a current lenny with bind9 I can't validate 
> > > > > > (www|ftp).debian.org
> > > > > > anymore. Is anybody else experiencing this problem?
> > > > > > 
> > > > > > 
> > > > > > not working: 1:9.6.ESV.R3+dfsg-0+lenny1 
> > > > > >     working: 1:9.6.ESV.R1+dfsg-0+lenny2
> > > > > >     working: 1:9.7.2.dfsg.P3-1
> > > > > >     
> > > > > > ftp.debian.org seems to use DLV. Other domains using DLV validate.
> > > > > 
> > > > > Does a normal host validate?  Say for instance kassia.debian.org.
> > > > 
> > > > Yes, it does.
> > > 
> > > Are you on IPv6?
> > 
> > What is IPv6?
> > No, I'm not on IPv6 and even running bind with the "-4" option.



Here comes the output of a trace (level 3 I think), note marked line:

    14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: starting
    14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: looking 
for DLV
    14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: plain 
DNSSEC returns unsecure (.): looking for DLV
    14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: looking 
for DLV ftp.debian.org.dlv.isc.org
    14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: looking 
for DLV debian.org.dlv.isc.org
    14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: DLV 
debian.org found
    14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: 
dlv_validator_start
    14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: 
restarting using DLV
    14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: 
attempting positive response validation
    14-Dec-2010 22:13:09.193   validating @0xb90cb070: ftp.debian.org DNSKEY: 
starting
    14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: 
attempting positive response validation
    14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: 
not beneath secure root
    14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: 
plain DNSSEC returns unsecure (.): looking for DLV
    14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: 
looking for DLV ftp.debian.org.dlv.isc.org
    14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: 
looking for DLV debian.org.dlv.isc.org
    14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: 
DLV debian.org found
    14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: 
dlv_validator_start
    14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: 
restarting using DLV
    14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: 
attempting positive response validation
    14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: 
not beneath secure root
    14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: 
marking as answer (validatezonekey (1))
    14-Dec-2010 22:13:09.194   validator @0xb90cb070: dns_validator_destroy
    14-Dec-2010 22:13:09.194 validating @0xb90c65d8: ftp.debian.org A: in 
keyvalidated
    14-Dec-2010 22:13:09.194 validating @0xb90c65d8: ftp.debian.org A: keyset 
with trust 5
    14-Dec-2010 22:13:09.194 validating @0xb90c65d8: ftp.debian.org A: resuming 
validate
    14-Dec-2010 22:13:09.194 validating @0xb90c65d8: ftp.debian.org A: no valid 
signature found
    14-Dec-2010 22:13:09.195 validating @0xb90c65d8: ftp.debian.org A: falling 
back to insecurity proof
*   14-Dec-2010 22:13:09.195 validating @0xb90c65d8: ftp.debian.org A: checking 
existence of DS at 'ftp.debian.org'
    14-Dec-2010 22:13:09.195 validating @0xb90c65d8: ftp.debian.org A: 
insecurity proof failed
    14-Dec-2010 22:13:09.195 fctx 0xb487e008(ftp.debian.org/A'): received 
validation completion event
    14-Dec-2010 22:13:09.195 validator @0xb90c65d8: dns_validator_destroy
    14-Dec-2010 22:13:09.195 fctx 0xb487e008(ftp.debian.org/A'): validation 
failed
    14-Dec-2010 22:13:09.195 fctx 0xb487e008(ftp.debian.org/A'): add_bad
    14-Dec-2010 22:13:09.195 no valid RRSIG resolving 'ftp.debian.org/A/IN': 
82.195.75.105#53


A DS record is found.  Why? since ftp.debian.org is a zone on its own.
The other working plain names (the name has just an A record) are
working and do not own a DS key.

Could this somehow trigger this (unexpected) behaviour of a failing
validation? But why does it work for somebody (anybody?) else using this
version of bind? (output of the CHAOS version.bind query: "9.6-ESV-R3")


-- 
Heiko :: dresden : linux : SCHLITTERMANN.de
GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B

signature.asc
Description: Digital signature

Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

Reply via email to