Dig fails to validate signature chains of TLD zones
Nikolay Shaplov
n at shaplov.ru
Wed May 30 14:35:56 UTC 2012
I am trying to validate DNSSEC signature of top level zone using dig.
I do the following:
dig +nocomments +nostats +nocmd +noquestion -t dnskey . > trusted-key.key
dig +topdown +sigchase +trusted-key=./trusted-key.key +multiline com
and get the result like this:
[-------------many line skipped-------------------------]
yJc8mRckShcYBR6+YkoluzlgyK0M1O45F8NQS2f5GCnk
qQ+w9l2SnDzlTM9Bg2ddUAL75AcZUl51ENbs9SXQqjke
0YEDZM71oOm6CFCGqihI1c0a8xuelrMGF1a/qXjk4bU8
hliQtgTwekgvFz7jtYS3vLbR9Flo61frJQ== )
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for com. with DNSKEY:30909: success
;; We are in a Grand Father Problem: See 2.2.1 in RFC 3568
;; ERROR : com. is not a subdomain of: com. FAILED
name.c:2144: REQUIRE(source->length > 0) failed, back trace
#0 0xb72b5ec7 in ??
#1 0xb72b5e03 in ??
#2 0xb76777f0 in ??
#3 0xb77f485b in ??
#4 0xb77f9116 in ??
#5 0xb77f9af0 in ??
#6 0xb77fb7aa in ??
#7 0xb72d7d12 in ??
#8 0xb7291c39 in ??
#9 0xb70ae96e in ??
Аварийный останов
----------------------------------------------------------------------------
dig -v
DiG 9.7.3
There is no 2.2.1 chapter in RFC 3568 and com. zone is correct for sure.
(More interesting is that validation of su zone is also does not work, though nox.su validates well)
I did not find any bug tracker to report problem, or to see if it were already reported or fixed
in later versions, so I report here.
Also it might be interesting to know why does it happens and how to avoid this, if possible.
PS see full output and key file in attach.
-------------- next part --------------
. 172800 IN DNSKEY 256 3 8 AwEAAbd0IPTQdvyndWSX6HHcB+JycMl1aCGTHSJUBs/y9S93el05VvXg 1VqSF4vveB9rEuAZ1z8RNWZ9ac+rlaK7PrI5RlCIyKKPbtHbpgQGkwai 8O6BZ4J/ch7DGuhGJfvoECcWjsucs683WFRtmfLx5WNdPxxi30Czt1zP qMWfY6YJ
. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
-------------- next part --------------
ns name: 199.7.83.42
ns name: 192.5.5.241
ns name: 192.36.148.17
ns name: 192.228.79.201
ns name: 192.203.230.10
ns name: 128.63.2.53
ns name: 128.8.10.90
ns name: 202.12.27.33
ns name: 192.112.36.4
ns name: 192.33.4.12
ns name: 193.0.14.129
ns name: 198.41.0.4
ns name: 192.58.128.30
Launch a query to find a RRset of type A for zone: com with nameservers:
. 518400 IN NS l.root-servers.net.
518400 IN NS f.root-servers.net.
518400 IN NS i.root-servers.net.
518400 IN NS b.root-servers.net.
518400 IN NS e.root-servers.net.
518400 IN NS h.root-servers.net.
518400 IN NS d.root-servers.net.
518400 IN NS m.root-servers.net.
518400 IN NS g.root-servers.net.
518400 IN NS c.root-servers.net.
518400 IN NS k.root-servers.net.
518400 IN NS a.root-servers.net.
518400 IN NS j.root-servers.net.
ns name: 199.7.83.42
ns name: 192.5.5.241
ns name: 192.36.148.17
ns name: 192.228.79.201
ns name: 192.203.230.10
ns name: 128.63.2.53
ns name: 128.8.10.90
ns name: 202.12.27.33
ns name: 192.112.36.4
ns name: 192.33.4.12
ns name: 193.0.14.129
ns name: 198.41.0.4
ns name: 192.58.128.30
Launch a query to find a RRset of type A for zone: com with nameservers:
. 518400 IN NS l.root-servers.net.
518400 IN NS f.root-servers.net.
518400 IN NS i.root-servers.net.
518400 IN NS b.root-servers.net.
518400 IN NS e.root-servers.net.
518400 IN NS h.root-servers.net.
518400 IN NS d.root-servers.net.
518400 IN NS m.root-servers.net.
518400 IN NS g.root-servers.net.
518400 IN NS c.root-servers.net.
518400 IN NS k.root-servers.net.
518400 IN NS a.root-servers.net.
518400 IN NS j.root-servers.net.
no response but there is a delegation in authority section:com.
Launch a query to find a RRset of type DNSKEY for zone: .
;; DNSKEYset:
. 172800 IN DNSKEY 256 3 8 (
AwEAAbd0IPTQdvyndWSX6HHcB+JycMl1aCGTHSJUBs/y
9S93el05VvXg1VqSF4vveB9rEuAZ1z8RNWZ9ac+rlaK7
PrI5RlCIyKKPbtHbpgQGkwai8O6BZ4J/ch7DGuhGJfvo
ECcWjsucs683WFRtmfLx5WNdPxxi30Czt1zPqMWfY6YJ
) ; key id = 56158
172800 IN DNSKEY 257 3 8 (
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
) ; key id = 19036
;; RRSIG of the DNSKEYset:
. 172800 IN RRSIG DNSKEY 8 0 172800 20120604235959 (
20120521000000 19036 .
LP2CgKbbu8mfRaAwP9CZAVtPG/SOG2ByRV7bPz2mKgOk
je62rlagOujXsxXIjS4dU6QM/D5ysj6ayKFiyu1zKeTF
YzdAvvHfvSPLY5y/6KOEcxnmpVWSNzInkkHzjmk2OL3F
qx3iTSMJ2EoS+tikW2Btyup+7OJd5OoZTUVLIUdoT0jL
yWleu2ErEzKLKku7JA7PG1uOq35aTGb6Mfv7F6erU8E5
Uso9yCX2QXuMPM6v6je4FhORI3nS1E/Hyj+dZhxbO/sq
ZXmVncxP9WuQDQYQj3fsnkoKZZjaiZz24/CaiPscnWB2
/bBmgPiRhvbLYPsyWR36roavkCCc46xI5Q== )
;; Ok, find a Trusted Key in the DNSKEY RRset: 56158
;; Ok, find a Trusted Key in the DNSKEY RRset: 56158
;; Ok, find a Trusted Key in the DNSKEY RRset: 19036
;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success
;; DSset:
com. 86400 IN DS 30909 8 2 (
E2D3C916F6DEEAC73294E8268FB5885044A833FC5459
588F4A9184CFC41A5766 )
;; RRSIGset of DSset
com. 86400 IN RRSIG DS 8 1 86400 20120606000000 (
20120529230000 56158 .
pLO3znsHaDAlQmtpRts2njwmDU0kGqRNub7YMnFcxj8Z
OHOLR2YI3PYlThpqJCw4Ma7qPYUgyZSfJ8KIlYGuwc8T
UsqRvBkC2/AbdYrU33rBhDM2AMfFei4uS/iy1w9Xx239
xI+A7cOVz1Ktd2If69u0G2Y10rvdhp79t3oQmVI= )
;; VERIFYING DS RRset for com. with DNSKEY:56158: success
ns name: 192.5.6.30
ns name: 192.33.14.30
ns name: 192.26.92.30
ns name: 192.31.80.30
ns name: 192.12.94.30
ns name: 192.35.51.30
ns name: 192.42.93.30
ns name: 192.54.112.30
ns name: 192.43.172.30
ns name: 192.48.79.30
ns name: 192.52.178.30
ns name: 192.41.162.30
ns name: 192.55.83.30
Launch a query to find a RRset of type A for zone: com with nameservers:
com. 172800 IN NS a.gtld-servers.net.
172800 IN NS b.gtld-servers.net.
172800 IN NS c.gtld-servers.net.
172800 IN NS d.gtld-servers.net.
172800 IN NS e.gtld-servers.net.
172800 IN NS f.gtld-servers.net.
172800 IN NS g.gtld-servers.net.
172800 IN NS h.gtld-servers.net.
172800 IN NS i.gtld-servers.net.
172800 IN NS j.gtld-servers.net.
172800 IN NS k.gtld-servers.net.
172800 IN NS l.gtld-servers.net.
172800 IN NS m.gtld-servers.net.
no response and no delegation in authority section but a reference to: com.
Launch a query to find a RRset of type DNSKEY for zone: com.
;; DNSKEYset:
com. 86400 IN DNSKEY 257 3 8 (
AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQR0lpBmVc
NcsIszxNFxsBfKNW9JYCYqpik8366LE7VbIcNRzfp2h9
OO8HRl+H+E08zauK8k7evWEmu/6od+2boggPoiEfGNyv
NPaSI7FOIroDsnw/taggzHRX1Z7SOiOiPWPNIwSUyWOZ
79VmcQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7ZSdrb
TQ0HXvZbqMUI7BaMskmvgm1G7oKZ1YiF7O9ioVNc0+7A
SbqmZN7Z98EGU/Qh2K/BgUe8Hs0XVcdPKrtyYnoQHd2y
nKPcMMlTEih2/2HDHjRPJ2aywIpKNnv4oPo/
) ; key id = 30909
86400 IN DNSKEY 256 3 8 (
AQPUUK4LKCZsgEBUtsyaEumPVzVsbLLlZya4qpCAd4DU
wtaRW7f0LfxKX7OvCyh2hkZBkdB1mxh/itqDxFWbIGUm
luKpaaXoDDL+uQlzUUki+AttgfbV6YLXHGuCnqmHDTWo
Og4pW2Uh2CGlfHhkhNCIOJxgq7XTCD34/z/q5+17dw==
) ; key id = 23339
;; RRSIG of the DNSKEYset:
com. 86400 IN RRSIG DNSKEY 8 1 86400 20120602182533 (
20120526182033 30909 com.
RAPZxbur9p2g0dMUE8rMNffi5PA+mUZ9W8kP83vQSUzn
AYdTjDHsRtZUZRYg/I6RHr9Z5TUiWQdvTYQfFwxnlif6
uoVATysUWa2EWjLVfPeqCrrT3aEb28odlEplJeDSY6p9
apl+GJcAK9dLIvllZJlU1foag/ljyVwIEAToHcINr+ZS
yJc8mRckShcYBR6+YkoluzlgyK0M1O45F8NQS2f5GCnk
qQ+w9l2SnDzlTM9Bg2ddUAL75AcZUl51ENbs9SXQqjke
0YEDZM71oOm6CFCGqihI1c0a8xuelrMGF1a/qXjk4bU8
hliQtgTwekgvFz7jtYS3vLbR9Flo61frJQ== )
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for com. with DNSKEY:30909: success
;; We are in a Grand Father Problem: See 2.2.1 in RFC 3568
;; ERROR : com. is not a subdomain of: com. FAILED
name.c:2144: REQUIRE(source->length > 0) failed, back trace
#0 0xb7313ec7 in ??
#1 0xb7313e03 in ??
#2 0xb76d57f0 in ??
#3 0xb785285b in ??
#4 0xb7857116 in ??
#5 0xb7857af0 in ??
#6 0xb78597aa in ??
#7 0xb7335d12 in ??
#8 0xb72efc39 in ??
#9 0xb710c96e in ??
Аварийный останов
More information about the bind-users
mailing list