[Bug 606121] Re: enable SHA-2 support for drill / ldns

Fri, 16 Jul 2010 01:00:58 -0700 

Also note that dig from bind-tools can do this:

~ $ sudo tee /etc/trusted-key.key << "EOF"
. IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF 
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX 
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD 
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz 
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS 
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
. IN DNSKEY 256 3 8 AwEAAb1gcDhBlH/9MlgUxS0ik2dwY/JiBIpV+EhKZV7LccxNc6Qlj467 
QjHQ3Fgm2i2LE9w6LqPFDSng5qVq1OYFyTBt3DQppqDnAPriTwW5qIQN 
DNFv34yo63sAdBeU4G9tv7dzT5sPyAgmVh5HDCe+6XM2+Iel1+kUKCel 8Icy19hR
EOF
~ $ dig @a.root-servers.net. +dnssec +sigchase -t soa .
;; RRset to chase:
.                       86400   IN      SOA     a.root-servers.net. 
nstld.verisign-grs.com. 2010071501 1800 900 604800 86400


;; RRSIG of the RRset to chase:
.                       86400   IN      RRSIG   SOA 8 0 86400 20100722000000 
20100714230000 41248 . iJEabLsGHtCq8qrfSbMIjzPpBLqXa0aD5cBsIp9Sf/NF0VJQQ4nl/v+j 
6NR6/KClkAz2VviWE4hLDzMWcil5qzZJLvqduDedk3QV+mBKNy3OVPdN 
IeyxK/nYtxVBJMKbynJ8pBm0vAL3TW1+0JEfD7IG0do5t84+32hQd9Mb Vn0=


Launch a query to find a RRset of type DNSKEY for zone: .

;; DNSKEYset that signs the RRset to chase:
.                       86400   IN      DNSKEY  257 3 8 
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF 
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX 
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD 
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz 
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS 
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
.                       86400   IN      DNSKEY  256 3 8 
AwEAAb1gcDhBlH/9MlgUxS0ik2dwY/JiBIpV+EhKZV7LccxNc6Qlj467 
QjHQ3Fgm2i2LE9w6LqPFDSng5qVq1OYFyTBt3DQppqDnAPriTwW5qIQN 
DNFv34yo63sAdBeU4G9tv7dzT5sPyAgmVh5HDCe+6XM2+Iel1+kUKCel 8Icy19hR


;; RRSIG of the DNSKEYset that signs the RRset to chase:
.                       86400   IN      RRSIG   DNSKEY 8 0 86400 20100725235959 
20100711000000 19036 . I4cENgcWP+mN7eoX8KqPhvOMcGB0MMOB6ooTbEKHPR9gk6sAcJvq04tC 
ncwBNiMY3JxzHajsLmMermTL0sVmXj8j6Ba3eTX+t4CsdnUBFfk8zDyb 
lIIlYwWKZ/x2aXmOjKIKMIC9w8Wnt8awoo45MWzlAT2wGU7gcCAKxJ+O 
FG/ev8eUXpNxpzRIQvuC7ZGOlELJrrTQCgubyMWOjGaY0MPzrei0Uwe9 
2autHPcISBKghnp80zfLmkueSO8qmkbwHn6Jg5vFQ7mG/BKJ5mDXCX5k 
IjfBQPPe+I2FsGnl+2r9yAmT1n7xLzktKRwKpCwE265EUhDMq7e0P7gF khgEPA==


Launch a query to find a RRset of type DS for zone: .
;; NO ANSWERS: no more

;; WARNING There is no DS for the zone: .


;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; VERIFYING SOA RRset for . with DNSKEY:41248: success
;; OK We found DNSKEY (or more) to validate the RRset
;; Ok, find a Trusted Key in the DNSKEY RRset: 19036
;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success

;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS
~ $ 

** Description changed:

  The libldns1 and/or ldnsutils package(s) need to have SHA-2 RRSIG
  support to be able to understand the DNSSEC records for the root zone
  (".").
  
  Not being able to verify SHA-2 hashes is fine as long as you use DNSSEC
  on some alternative DNS system that is not the de facto internet. For
  the rest of us, we use the (de facto) internet, and since this does not
  work for the aforementioned internet, this is a problem.
  
  My release is Ubuntu 10.04 LTS.
  
  The expected output is (something like):
  
  ;; Number of trusted keys: 2
  ;; Chasing: . SOA
  
  DNSSEC Trust tree:
  . (SOA)
  |---. (DNSKEY keytag: 41248 alg: 8 flags: 256)
  ;; Chase successful
  
  The actual output is:
  
  error: Error creating socket
  error: No nameservers defined in the resolver
  ;; Number of trusted keys: 2
  ;; Chasing: . SOA
  
  DNSSEC Trust tree:
  . (SOA)
  |---Unknown cryptographic algorithm:
  .     86400   IN      RRSIG   SOA 8 0 86400 20100722000000 20100714230000 
41248 . 
iJEabLsGHtCq8qrfSbMIjzPpBLqXa0aD5cBsIp9Sf/NF0VJQQ4nl/v+j6NR6/KClkAz2VviWE4hLDzMWcil5qzZJLvqduDedk3QV+mBKNy3OVPdNIeyxK/nYtxVBJMKbynJ8pBm0vAL3TW1+0JEfD7IG0do5t84+32hQd9MbVn0=
 ;{id = 41248}
  For RRset:
  .     86400   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 
2010071501 1800 900 604800 86400
  With key:
  .     86400   IN      DNSKEY  256 3 8 
AwEAAb1gcDhBlH/9MlgUxS0ik2dwY/JiBIpV+EhKZV7LccxNc6Qlj467QjHQ3Fgm2i2LE9w6LqPFDSng5qVq1OYFyTBt3DQppqDnAPriTwW5qIQNDNFv34yo63sAdBeU4G9tv7dzT5sPyAgmVh5HDCe+6XM2+Iel1+kUKCel8Icy19hR
 ;{id = 41248 (zsk), size = 0b}
  |---. (DNSKEY keytag: 41248 alg: 8 flags: 256)
  No trusted keys found in tree: first error was: Unknown cryptographic 
algorithm
  ;; Chase failed.
  
  To reproduce, add the ICANN's DNSKEYs as the trusted keys and execute
  drill:
  
- tee trusted-key.key << "EOF"
+ ~ $ tee trusted-key.key << "EOF"
  . IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF 
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX 
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD 
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz 
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS 
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
  . IN DNSKEY 256 3 8 AwEAAb1gcDhBlH/9MlgUxS0ik2dwY/JiBIpV+EhKZV7LccxNc6Qlj467 
QjHQ3Fgm2i2LE9w6LqPFDSng5qVq1OYFyTBt3DQppqDnAPriTwW5qIQN 
DNFv34yo63sAdBeU4G9tv7dzT5sPyAgmVh5HDCe+6XM2+Iel1+kUKCel 8Icy19hR
  EOF
- 
- drill -S -k trusted-key.key . @a.root-servers.net. soa
+ ~ $ drill -S -k trusted-key.key . @a.root-servers.net. soa

-- 
enable SHA-2 support for drill / ldns
https://bugs.launchpad.net/bugs/606121
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to