Question regarding delv and custom local trust anchor
Josh Kuo
josh.kuo at gmail.com
Thu Jun 8 13:54:15 UTC 2023
Hello,
I am trying to use delv (version 19.8.2 on Ubuntu 0.22.04) to troubleshoot
using a custom trust anchor. However, I am getting very strange results
from delv. The short of it is, I must point delv at another validating
resolver (such as @8.8.8.8) for the custom trust anchors (-a) to work.
First, I use the correct trust anchor (right.key), I query twice, with and
without @8.8.8.8:
$ *cat right.key*
trust-anchors {
. initial-key 257 3 8
"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=";
};
*$ delv -a right.key www.example.com <http://www.example.com>. A*;; broken
trust chain resolving 'www.example.com/A/IN': 127.0.0.53#53
;; resolution failed: broken trust chain
*$ delv -a right.key www.example.com <http://www.example.com>. A @8.8.8.8
<http://8.8.8.8>*; fully validated
www.example.com. 10545 IN A 93.184.216.34
www.example.com. 10545 IN RRSIG A 13 3 86400 20230626193619 20230605194008
44029 example.com. grjd2rY82fZuYxz3laDCQKu2ZbcOmy4/eApedHRVFsMGOGwmLJ3FU08D
2dr4BWtpVm12HAgyt0euyGCcQLDErg==
Then, I tested it with a purposely misconfigured key. Again, two queries,
with and without @8.8.8.8:
*$ cat wrong.key*
trust-anchors {
. initial-key 257 3 8
"AwEAAcxpNx7yHa+8KpYjdi8wPJw8cXusWGo2deQsPANOJFDhF4Dx2NTrEjvIDMGymLpXLSj7PpAzbhBwcKMQ/WEUprTl7Dfn26HYXFl3K0U4AahZO99seYkQao82n21VkfjguSv1SXmzerrwsGXP91CncXJ7Apz8wieJDLe3u4gA/DkqvjeCtE+sf+DcSqalnKgY6TWmKFX0VPPL2W3TXwLHyfVh5AWV2mGpugJ4YUoqtmDgXwOjUvkZDxQFsliE/iYc1S9tYVD40fbfL3l8vRXoVfListNNQBKh7oDXpPKEXgOn5kl8V05hcG1LAbB0jtOtPdgs+BJ+3WN0o2q+PSo9QVE=";
};
*$ delv -a wrong.key www.example.com <http://www.example.com>. A*;; broken
trust chain resolving 'www.example.com/A/IN': 127.0.0.53#53
;; resolution failed: broken trust chain
*$ delv -a wrong.key www.example.com <http://www.example.com>. A @8.8.8.8
<http://8.8.8.8>*;; validating ./DNSKEY: no valid signature found (DS)
;; no valid RRSIG resolving './DNSKEY/IN': 8.8.8.8#53
;; broken trust chain resolving 'com/DS/IN': 8.8.8.8#53
;; broken trust chain resolving 'com/DNSKEY/IN': 8.8.8.8#53
;; broken trust chain resolving 'example.com/DS/IN': 8.8.8.8#53
;; broken trust chain resolving 'example.com/DNSKEY/IN': 8.8.8.8#53
;; broken trust chain resolving 'www.example.com/A/IN': 8.8.8.8#53
;; resolution failed: broken trust chain
This has me scratching my head... I know delv is capable of acting as a
validating resolver. And I want it to. What am I doing wrong? What other
information can I provide? +vtrace?
A note about why I am doing this seemingly pointless exercise: Back in
2018/2019 during the first root key rollover, several others experienced
the issue where the trust anchor on their validating resolver(s) did not
change, resulting in SERVFAIL. Not everyone has access to the validating
resolver's configuration, in fact, some of them had to prove to their ISP
or whoever is running the validating resolver that it's the trust anchor
that needs to be updated. This is an exercise that I am planning to teach
others, so when/if this happens again the next time the root key rolls,
they know how to use delv to produce evidence to show their DNS
administrators to update the trust anchor.
Thanks in advance.
-Josh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230608/33c5a668/attachment.htm>
More information about the bind-users
mailing list