I am trying to validate DNSSEC signature of top level zone using dig.
I do the following:
dig +nocomments +nostats +nocmd +noquestion -t dnskey . > trusted-key.key
dig +topdown +sigchase +trusted-key=./trusted-key.key +multiline com
and get the result like this:
[-------------many line skipped-------------------------]
yJc8mRckShcYBR6+YkoluzlgyK0M1O45F8NQS2f5GCnk
qQ+w9l2SnDzlTM9Bg2ddUAL75AcZUl51ENbs9SXQqjke
0YEDZM71oOm6CFCGqihI1c0a8xuelrMGF1a/qXjk4bU8
hliQtgTwekgvFz7jtYS3vLbR9Flo61frJQ== )
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for com. with DNSKEY:30909: success
;; We are in a Grand Father Problem: See 2.2.1 in RFC 3568
;; ERROR : com. is not a subdomain of: com. FAILED
name.c:2144: REQUIRE(source->length > 0) failed, back trace
#0 0xb72b5ec7 in ??
#1 0xb72b5e03 in ??
#2 0xb76777f0 in ??
#3 0xb77f485b in ??
#4 0xb77f9116 in ??
#5 0xb77f9af0 in ??
#6 0xb77fb7aa in ??
#7 0xb72d7d12 in ??
#8 0xb7291c39 in ??
#9 0xb70ae96e in ??
Аварийный останов
----------------------------------------------------------------------------
dig -v
DiG 9.7.3
There is no 2.2.1 chapter in RFC 3568 and com. zone is correct for sure.
(More interesting is that validation of su zone is also does not work, though
nox.su validates well)
I did not find any bug tracker to report problem, or to see if it were already reported or fixed
in later versions, so I report here.
Also it might be interesting to know why does it happens and how to avoid this, if possible.
PS see full output and key file in attach.