Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Dig fails to validate signature chains of TLD zones

6 views
Skip to first unread message

Nikolay Shaplov

unread,
May 30, 2012, 10:35:56 AM5/30/12
to bind-...@lists.isc.org

I am trying to validate DNSSEC signature of top level zone using dig.

I do the following:

dig +nocomments +nostats +nocmd +noquestion -t dnskey . > trusted-key.key
dig +topdown +sigchase +trusted-key=./trusted-key.key +multiline com


and get the result like this:
[-------------many line skipped-------------------------]
yJc8mRckShcYBR6+YkoluzlgyK0M1O45F8NQS2f5GCnk
qQ+w9l2SnDzlTM9Bg2ddUAL75AcZUl51ENbs9SXQqjke
0YEDZM71oOm6CFCGqihI1c0a8xuelrMGF1a/qXjk4bU8
hliQtgTwekgvFz7jtYS3vLbR9Flo61frJQ== )

;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for com. with DNSKEY:30909: success

;; We are in a Grand Father Problem: See 2.2.1 in RFC 3568

;; ERROR : com. is not a subdomain of: com. FAILED

name.c:2144: REQUIRE(source->length > 0) failed, back trace
#0 0xb72b5ec7 in ??
#1 0xb72b5e03 in ??
#2 0xb76777f0 in ??
#3 0xb77f485b in ??
#4 0xb77f9116 in ??
#5 0xb77f9af0 in ??
#6 0xb77fb7aa in ??
#7 0xb72d7d12 in ??
#8 0xb7291c39 in ??
#9 0xb70ae96e in ??
Аварийный останов
----------------------------------------------------------------------------
dig -v
DiG 9.7.3

There is no 2.2.1 chapter in RFC 3568 and com. zone is correct for sure.

(More interesting is that validation of su zone is also does not work, though nox.su validates well)

I did not find any bug tracker to report problem, or to see if it were already reported or fixed
in later versions, so I report here.

Also it might be interesting to know why does it happens and how to avoid this, if possible.


PS see full output and key file in attach.
trusted-key.key
out

Evan Hunt

unread,
May 30, 2012, 12:13:36 PM5/30/12
to Nikolay Shaplov, bind-...@lists.isc.org
On Wed, May 30, 2012 at 06:35:56PM +0400, Nikolay Shaplov wrote:
> I am trying to validate DNSSEC signature of top level zone using dig.

"dig +sigchase" is known to have serious flaws (that's why it's not
compiled in to BIND 9 by default). Our long-term plan has been to rewrite
it completely. So far other work has always had higher priority, so it
hasn't happened yet, but it will.

In the meantime (much as it pains me to admit to having been outclassed :)),
the best command-line tool I'm aware of for validating signatures is
"drill", which ships as part of Unbound (http://nlnetlabs.nl).

--
Evan Hunt -- ea...@isc.org
Internet Systems Consortium, Inc.
0 new messages