[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

> Heiko Schlittermann <hs@schlittermann.de> (Di 14 Dez 2010 20:40:47 CET):
> > Peter Palfrader <weasel@debian.org> (Di 14 Dez 2010 20:31:46 CET):
> > > On Tue, 14 Dec 2010, Heiko Schlittermann wrote:
> > > 
> > > > Peter Palfrader <weasel@debian.org> (Di 14 Dez 2010 18:42:49 CET):
> > > > > On Tue, 14 Dec 2010, Heiko Schlittermann wrote:
> > > > > 
> > > > > > Using a current lenny with bind9 I can't validate (www|ftp).debian.org
> > > > > > anymore. Is anybody else experiencing this problem?
> > > > > > 
> > > > > > 
> > > > > > not working: 1:9.6.ESV.R3+dfsg-0+lenny1 
> > > > > >     working: 1:9.6.ESV.R1+dfsg-0+lenny2
> > > > > >     working: 1:9.7.2.dfsg.P3-1
> > > > > >     
> > > > > > ftp.debian.org seems to use DLV. Other domains using DLV validate.
> > > > > 
> > > > > Does a normal host validate?  Say for instance kassia.debian.org.
> > > > 
> > > > Yes, it does.
> > > 
> > > Are you on IPv6?
> > 
> > What is IPv6?
> > No, I'm not on IPv6 and even running bind with the "-4" option.


Here comes the output of a trace (level 3 I think), note marked line:

    14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: starting
    14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: looking for DLV
    14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: plain DNSSEC returns unsecure (.): looking for DLV
    14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: looking for DLV ftp.debian.org.dlv.isc.org
    14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: looking for DLV debian.org.dlv.isc.org
    14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: DLV debian.org found
    14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: dlv_validator_start
    14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: restarting using DLV
    14-Dec-2010 22:13:09.193 validating @0xb90c65d8: ftp.debian.org A: attempting positive response validation
    14-Dec-2010 22:13:09.193   validating @0xb90cb070: ftp.debian.org DNSKEY: starting
    14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: attempting positive response validation
    14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: not beneath secure root
    14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: plain DNSSEC returns unsecure (.): looking for DLV
    14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: looking for DLV ftp.debian.org.dlv.isc.org
    14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: looking for DLV debian.org.dlv.isc.org
    14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: DLV debian.org found
    14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: dlv_validator_start
    14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: restarting using DLV
    14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: attempting positive response validation
    14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: not beneath secure root
    14-Dec-2010 22:13:09.194   validating @0xb90cb070: ftp.debian.org DNSKEY: marking as answer (validatezonekey (1))
    14-Dec-2010 22:13:09.194   validator @0xb90cb070: dns_validator_destroy
    14-Dec-2010 22:13:09.194 validating @0xb90c65d8: ftp.debian.org A: in keyvalidated
    14-Dec-2010 22:13:09.194 validating @0xb90c65d8: ftp.debian.org A: keyset with trust 5
    14-Dec-2010 22:13:09.194 validating @0xb90c65d8: ftp.debian.org A: resuming validate
    14-Dec-2010 22:13:09.194 validating @0xb90c65d8: ftp.debian.org A: no valid signature found
    14-Dec-2010 22:13:09.195 validating @0xb90c65d8: ftp.debian.org A: falling back to insecurity proof
*   14-Dec-2010 22:13:09.195 validating @0xb90c65d8: ftp.debian.org A: checking existence of DS at 'ftp.debian.org'
    14-Dec-2010 22:13:09.195 validating @0xb90c65d8: ftp.debian.org A: insecurity proof failed
    14-Dec-2010 22:13:09.195 fctx 0xb487e008(ftp.debian.org/A'): received validation completion event
    14-Dec-2010 22:13:09.195 validator @0xb90c65d8: dns_validator_destroy
    14-Dec-2010 22:13:09.195 fctx 0xb487e008(ftp.debian.org/A'): validation failed
    14-Dec-2010 22:13:09.195 fctx 0xb487e008(ftp.debian.org/A'): add_bad
    14-Dec-2010 22:13:09.195 no valid RRSIG resolving 'ftp.debian.org/A/IN': 82.195.75.105#53


A DS record is found.  Why? since ftp.debian.org is a zone on its own.
The other working plain names (the name has just an A record) are
working and do not own a DS key.

Could this somehow trigger this (unexpected) behaviour of a failing
validation? But why does it work for somebody (anybody?) else using this
version of bind? (output of the CHAOS version.bind query: "9.6-ESV-R3")


-- 
Heiko :: dresden : linux : SCHLITTERMANN.de
GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B

Attachment: signature.asc
Description: Digital signature

Reply to: