dig +sigchase looping

Evan Hunt each at isc.org
Wed Feb 26 01:51:15 UTC 2014 

On Tue, Feb 25, 2014 at 08:57:08AM +1100, Mark Andrews wrote:
> SIGCHASE is a external contribution that is provide "as is" to dig.
> The reason that you have to explicitly define it is that ISC hasn't
> fully gone through the code to find bugs like this in it and it
> basically needs a full re-write.  That said it does mostly work and
> is better than nothing.

...but it might not be better than the new "delve" tool (backronym:
"domain entity lookup and validation engine"), which shipped today in
BIND 9.10.0b1.

Delve has command line semantics similar to dig, but uses the same
resolver and validator logic that named does, to perform a DNS lookup
and validate it.  The +vtrace option turns on valiator logging, +rtrace
reports each record fetched, and +mtrace prints all messages exchanged
with the name server in full.

It does *not* (or anyway not yet) do full iterative resolution from the
root, but it will send all the needed queries to the local name server
to resolve and validate a name, including following CNAMEs and fetching
DNSKEY and DS records to establish a chain of trust.

My hope is that people will find they don't need dig +sigchase anymore,
and we can deprecate it in a future release. If you have a use case for
dig +sigchase that delve doesn't accomodate, please let me know so I
can try to address it.

Examples:

  Valid signed response:

    $ delve aaaa isc.org
    ; fully validated
    isc.org.                60      IN      AAAA    2001:4f8:0:2::69
    isc.org.                60      IN      RRSIG   AAAA 5 2 60 20140326233255
    20140224233255 4521 isc.org.
    DP8IFXWtADmptzScrFj+Pt425PX/cfpGiNnzjIZtoMfI5ueq1sFfV0UX
    PwGPD1PGbrUj/s/w9uh7XgfNpFr8xZujb4JwN+1xOeWcA+58oRIlTjoV
    OqVdLa9i/eMyl8sj0wMfy76Olasa1RfbzJJmY1Sp90uImfNrzd136hw0 Hac=
    isc.org.                60      IN      RRSIG   AAAA 5 2 60 20140326233255
    20140224233255 50012 isc.org.
    ibMtXAh67O7kbq3+bTkJt/sO8q1rmQBfRgvSLK0Dx8GcryfIBS6VshFn
    qirzgRVmenlITdf9KFWA2qPT6Tfh+4XQFFfwxiNhs5Pi1XlK0oft1LVc
    shyHJdMAa+Ap2VGg61Sch3ckUjUXjNqIf4IhRGXrRRsU/dalkBJk4YCk Thk=

  Legitimate unsigned repsonse:

    $ delve unsigned.com
    ; unsigned answer
    unsigned.com.           87600   IN      A       204.14.120.250

  Valid NXDOMAIN from a signed zone:

    $ delve nonexistent.example.org
    ;; resolution failed: ncache nxdomain
    ; negative response, fully validated
    ; nonexistent.example.org. 3600 IN      \-ANY   ;-$NXDOMAIN
    ; example.org. SOA sns.dns.icann.org. noc.dns.icann.org. 2013103114 7200
    3600 1209600 3600
    ; example.org. RRSIG SOA ...
    ; example.org. RRSIG NSEC ...
    ; example.org. NSEC www.example.org. A NS SOA TXT AAAA RRSIG NSEC DNSKEY

  Invalid response:

    $ delve www.dnssec-failed.org
    ;; validating dnssec-failed.org/DNSKEY: no valid signature found (DS)
    ;; no valid RRSIG resolving 'dnssec-failed.org/DNSKEY/IN': 127.0.1.1#53
    ;; broken trust chain resolving 'www.dnssec-failed.org/A/IN': 127.0.1.1#53
    ;; resolution failed: broken trust chain

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list