[dns-operations] ISC DLV broken?
Geoffrey Sisson
geoff at geoff.co.uk
Sun Apr 5 06:36:17 UTC 2009
I wrote:
> It appears as if the RRSIG RRset returned by the DLV nameservers for
> "dlv.isc.org" is missing the RRSIG for the KSK, so validation for
> dlv.isc.org is failing. It _does_ contain the RRSIG for the ZSK (key
> id 64263).
Example:
------------------------ Begin included text ------------------------
$ dig +norec +m +dn @sfba.sns-pb.isc.org. dlv.isc.org. dnskey
; <<>> DiG 9.6.0-P1 <<>> +norec +m +dn @sfba.sns-pb.isc.org. dlv.isc.org. dnskey
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54225
;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 9
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dlv.isc.org. IN DNSKEY
;; ANSWER SECTION:
dlv.isc.org. 7200 IN DNSKEY 257 3 5 (
BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn
4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW
58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6B
D4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5ymX4BI/o
Q+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte
/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw
/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+
al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh
) ; key id = 19297
dlv.isc.org. 7200 IN DNSKEY 256 3 5 (
BEAAAAOlYGw53D+f01yCL5JsP0SB6EjYrnd0JYRBooAa
GPT+Q0kpiN+7GviFh+nIazoB8e2Yv7mupgqkmIjObdcb
GstYpUltdECdNpNmBvASKB9SBdtGeRvXXpORi3Qyxb9k
HGG7SpzyYbc+KDVKnzYHB94pvqu3ZZpPFPBFtCibp/mk
hw==
) ; key id = 64263
dlv.isc.org. 7200 IN DNSKEY 256 3 5 (
BEAAAAPGBAwVFzuE6r0zjxHMug8if94gouJXT4xnKqOt
BRNJ9KmIvHVh97hn5VN2T9z0SZ3Y2nPxTyksoX+X7L62
QveGvHzHSEuo8iYq6INevwFTX1beCj/dhk9ZfEYkleoB
4NUlHcam7juJWncRi/Vz/BpF2ec9fLqaAaP15AojoIoa
Aw==
) ; key id = 49899
dlv.isc.org. 7200 IN RRSIG DNSKEY 5 3 7200 20090505042033 (
20090405042033 64263 dlv.isc.org.
ViunsXnrSvOBbIRbVg9Kdo+WQ3rB0lwvDpn30UXqne9u
996x+h226sUglk59THY/xzPwLoEEATz6dEE6Fud3T0Is
0EgVrq67DVcoL48Ub6M5eJi8roAqzIR4F5A+JXDbDLIS
aKoz/UUwHNXGqvlg4Z7DxsrJO+JCgUZIsvz80cw= )
;; AUTHORITY SECTION:
dlv.isc.org. 3600 IN NS ams.sns-pb.isc.org.
dlv.isc.org. 3600 IN NS sfba.sns-pb.isc.org.
dlv.isc.org. 3600 IN NS ord.sns-pb.isc.org.
dlv.isc.org. 3600 IN RRSIG NS 5 3 3600 20090505042033 (
20090405042033 64263 dlv.isc.org.
RdtztBfZG4ABlWZ6Bw+0oJJ/zmqCGGDWgqCVf/86Gjg+
KQ/U7aSGKkKvbeB7SjJ8AFjy5ha1JbZ/0attYUYMZoiy
yRdpT3QMMfam8c94ROlhVZNSvIQb90+3c/jBaL/UYwxI
GIvxPyrKRDuGSVoyWbmdueg8W0RuSKIpWlWqkz4= )
;; ADDITIONAL SECTION:
ams.sns-pb.isc.org. 43200 IN A 199.6.1.30
ord.sns-pb.isc.org. 43200 IN A 199.6.0.30
sfba.sns-pb.isc.org. 43200 IN A 149.20.64.3
sfba.sns-pb.isc.org. 43200 IN AAAA 2001:4f8:0:2::19
ams.sns-pb.isc.org. 43200 IN RRSIG A 5 4 43200 20090504233258 (
20090404233258 50082 isc.org.
jgqnXFXqaEWMT7kkzERUhMN0I94mReLUREkXcpnAFe65
3U0srTQWjNmZQFqk6mwovYkkrC6j4f4pVcSE9MxHeCxb
UhA/okHjmUYfcNJLc0LVZRiXeaw4YV7QuQeT7DJXGRzN
CoHVRK3xZjl16qIf7fEPuFTfoIdxQ9oqk3ZZEU0= )
ord.sns-pb.isc.org. 43200 IN RRSIG A 5 4 43200 20090504233258 (
20090404233258 50082 isc.org.
Ti2WQoGt3k9+JRbT9eIGHZi9czzCOlR9dREanWs/P5NB
6Rt9jr2KFVDZ9oCMDr1Rlvdih1Kg9CGPA9HbjQEM2WvZ
MXOX6paTNOTJ9wW30RE6xBg7pTYUZfLHLRNVhCin/5/J
mFyH6S4fFX8NRnBqXTURss53Ltxa0CKsBz6ft6E= )
sfba.sns-pb.isc.org. 43200 IN RRSIG A 5 4 43200 20090504233258 (
20090404233258 50082 isc.org.
fyu9MlYzUBDW8BX9BVI7iLTxhgUBmOoS7v0GLG9BGrlo
odjcdap+UCMVp4TxIY40POkpyWk9XZ/4tarHm7DHhcM2
5nwS5NARxawOFsEWri7Dv3SuMUNCw/lqEYtH41iu1+Wm
YVYArQRjcWEG6sjgbvz7t9J7qeCbIHh6raIjc2M= )
sfba.sns-pb.isc.org. 43200 IN RRSIG AAAA 5 4 43200 20090504233258 (
20090404233258 50082 isc.org.
QWAqBqiOLlrme/leSdrtJMLjd4EeyXgokWlXM8F+AZy5
9bwNLX6kd1hXowL/YhMN7cIAfR3cjWevBn6j0lJtm+mL
lz8dbGFcznz8atb7NGk0VTzgQZtl5EXniectQ1tZaNsq
v52+ehK5kYZE1lvwS23m7wk5nihNT7oudWdHb5I= )
;; Query time: 80 msec
;; SERVER: 149.20.64.3#53(149.20.64.3)
;; WHEN: Sat Apr 4 23:22:35 2009
;; MSG SIZE rcvd: 1763
------------------------- End included text -------------------------
>From geoff at geoff.co.uk Sat Apr 4 23:32:54 2009
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on vc56.vc.panix.com
X-Spam-Level:
X-Spam-Status: No, score=-2.6 required=3.0 tests=BAYES_00,NO_RELAYS
autolearn=ham version=3.2.5
X-Original-To: geoff at geoff.co.uk
Delivered-To: geoff at geoff.co.uk
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=geoff.co.uk; s=k1;
t=1238913174; bh=UIbX0DD26VlDATeQ6GGnWHCM3Gqsk2jclBmTjAvgaYM=;
h=Date:From:To:Subject:References:In-Reply-To:MIME-Version:
Content-Type:Content-Transfer-Encoding:Message-Id; b=GUHgq20f8F+b9
viZHUgR4DMf98lTqVsrsJrEz18b9YW52huQQHNizCdf/5WyZ1zvvznqMrDjbSj7vGSn
NioiImVTN8+HIg8GJIp36Yec5/54EN85+4di+g5hu0unvsghmXLGZ70OSj5icL3NYs4
ZSnV2Eu9IiaxkN9247yMi53o=
Date: Sat, 04 Apr 2009 23:32:54 -0700
From: "Geoffrey Sisson" <geoff at geoff.co.uk>
To: geoff at geoff.co.uk
Subject: Re: [dns-operations] ISC DLV broken?
Content-Type: text/plain; charset=us-ascii
I wrote:
> It appears as if the RRSIG RRset returned by the DLV nameservers for
> "dlv.isc.org" is missing the RRSIG for the KSK, so validation for
> dlv.isc.org is failing. It _does_ contain the RRSIG for the ZSK (key
> id 64263).
Here's an example:
------------------------ Begin included text ------------------------
$ dig +norec +m +dn @sfba.sns-pb.isc.org. dlv.isc.org. dnskey
; <<>> DiG 9.6.0-P1 <<>> +norec +m +dn @sfba.sns-pb.isc.org. dlv.isc.org. dnskey
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54225
;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 9
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dlv.isc.org. IN DNSKEY
;; ANSWER SECTION:
dlv.isc.org. 7200 IN DNSKEY 257 3 5 (
BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn
4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW
58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6B
D4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5ymX4BI/o
Q+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte
/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw
/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+
al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh
) ; key id = 19297
dlv.isc.org. 7200 IN DNSKEY 256 3 5 (
BEAAAAOlYGw53D+f01yCL5JsP0SB6EjYrnd0JYRBooAa
GPT+Q0kpiN+7GviFh+nIazoB8e2Yv7mupgqkmIjObdcb
GstYpUltdECdNpNmBvASKB9SBdtGeRvXXpORi3Qyxb9k
HGG7SpzyYbc+KDVKnzYHB94pvqu3ZZpPFPBFtCibp/mk
hw==
) ; key id = 64263
dlv.isc.org. 7200 IN DNSKEY 256 3 5 (
BEAAAAPGBAwVFzuE6r0zjxHMug8if94gouJXT4xnKqOt
BRNJ9KmIvHVh97hn5VN2T9z0SZ3Y2nPxTyksoX+X7L62
QveGvHzHSEuo8iYq6INevwFTX1beCj/dhk9ZfEYkleoB
4NUlHcam7juJWncRi/Vz/BpF2ec9fLqaAaP15AojoIoa
Aw==
) ; key id = 49899
dlv.isc.org. 7200 IN RRSIG DNSKEY 5 3 7200 20090505042033 (
20090405042033 64263 dlv.isc.org.
ViunsXnrSvOBbIRbVg9Kdo+WQ3rB0lwvDpn30UXqne9u
996x+h226sUglk59THY/xzPwLoEEATz6dEE6Fud3T0Is
0EgVrq67DVcoL48Ub6M5eJi8roAqzIR4F5A+JXDbDLIS
aKoz/UUwHNXGqvlg4Z7DxsrJO+JCgUZIsvz80cw= )
;; AUTHORITY SECTION:
dlv.isc.org. 3600 IN NS ams.sns-pb.isc.org.
dlv.isc.org. 3600 IN NS sfba.sns-pb.isc.org.
dlv.isc.org. 3600 IN NS ord.sns-pb.isc.org.
dlv.isc.org. 3600 IN RRSIG NS 5 3 3600 20090505042033 (
20090405042033 64263 dlv.isc.org.
RdtztBfZG4ABlWZ6Bw+0oJJ/zmqCGGDWgqCVf/86Gjg+
KQ/U7aSGKkKvbeB7SjJ8AFjy5ha1JbZ/0attYUYMZoiy
yRdpT3QMMfam8c94ROlhVZNSvIQb90+3c/jBaL/UYwxI
GIvxPyrKRDuGSVoyWbmdueg8W0RuSKIpWlWqkz4= )
;; ADDITIONAL SECTION:
ams.sns-pb.isc.org. 43200 IN A 199.6.1.30
ord.sns-pb.isc.org. 43200 IN A 199.6.0.30
sfba.sns-pb.isc.org. 43200 IN A 149.20.64.3
sfba.sns-pb.isc.org. 43200 IN AAAA 2001:4f8:0:2::19
ams.sns-pb.isc.org. 43200 IN RRSIG A 5 4 43200 20090504233258 (
20090404233258 50082 isc.org.
jgqnXFXqaEWMT7kkzERUhMN0I94mReLUREkXcpnAFe65
3U0srTQWjNmZQFqk6mwovYkkrC6j4f4pVcSE9MxHeCxb
UhA/okHjmUYfcNJLc0LVZRiXeaw4YV7QuQeT7DJXGRzN
CoHVRK3xZjl16qIf7fEPuFTfoIdxQ9oqk3ZZEU0= )
ord.sns-pb.isc.org. 43200 IN RRSIG A 5 4 43200 20090504233258 (
20090404233258 50082 isc.org.
Ti2WQoGt3k9+JRbT9eIGHZi9czzCOlR9dREanWs/P5NB
6Rt9jr2KFVDZ9oCMDr1Rlvdih1Kg9CGPA9HbjQEM2WvZ
MXOX6paTNOTJ9wW30RE6xBg7pTYUZfLHLRNVhCin/5/J
mFyH6S4fFX8NRnBqXTURss53Ltxa0CKsBz6ft6E= )
sfba.sns-pb.isc.org. 43200 IN RRSIG A 5 4 43200 20090504233258 (
20090404233258 50082 isc.org.
fyu9MlYzUBDW8BX9BVI7iLTxhgUBmOoS7v0GLG9BGrlo
odjcdap+UCMVp4TxIY40POkpyWk9XZ/4tarHm7DHhcM2
5nwS5NARxawOFsEWri7Dv3SuMUNCw/lqEYtH41iu1+Wm
YVYArQRjcWEG6sjgbvz7t9J7qeCbIHh6raIjc2M= )
sfba.sns-pb.isc.org. 43200 IN RRSIG AAAA 5 4 43200 20090504233258 (
20090404233258 50082 isc.org.
QWAqBqiOLlrme/leSdrtJMLjd4EeyXgokWlXM8F+AZy5
9bwNLX6kd1hXowL/YhMN7cIAfR3cjWevBn6j0lJtm+mL
lz8dbGFcznz8atb7NGk0VTzgQZtl5EXniectQ1tZaNsq
v52+ehK5kYZE1lvwS23m7wk5nihNT7oudWdHb5I= )
;; Query time: 80 msec
;; SERVER: 149.20.64.3#53(149.20.64.3)
;; WHEN: Sat Apr 4 23:22:35 2009
;; MSG SIZE rcvd: 1763
------------------------- End included text -------------------------
More information about the dns-operations
mailing list