Stephane Bortzmeyer <bortzmeyer@nic.fr> (Di 14 Dez 2010 14:26:18 CET):
> On Tue, Dec 14, 2010 at 02:18:44PM +0100,
> Heiko Schlittermann <hs@schlittermann.de> wrote
> a message of 46 lines which said:
>
> > Using a current lenny with bind9 I can't validate (www|ftp).debian.org
> > anymore.
>
> Works for me (BIND on a lenny using dlv.isc.org). Note the ad bit:
>
> % dig +dnssec A www.debian.org
>
> ; <<>> DiG 9.6-ESV-R3 <<>> +dnssec A www.debian.org
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12253
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 13
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;www.debian.org. IN A
>
> ;; ANSWER SECTION:
> www.debian.org. 300 IN A 141.76.2.5
> www.debian.org. 300 IN A 213.129.232.18
> www.debian.org. 300 IN RRSIG A 5 3 300 20110111094829 20101214094829 38208 www.debian.org. AR+irfLzNRWYgbJwp4Nf6M1o3xpANStnSMNQ7iechFhX9YdDUgx7vHLl 4/mjM6RbyHJiCyz5supU4ubuWT5QxjvG6IE/HgoimiEjq4XsP7ANSEdF 1B3y270gBxn+tO2ZDfNwLdob9k3AXJnyOVUq9cPVaa8ZcNZ8rhJ04JLF 3i3E9AphlUywmQPTNTCEtOoV
>
> What is the output of 'dig +cd +dnssec www.debian.org' on your case?
# dig www.debian.org +dnssec @192.168.0.1
; <<>> DiG 9.7.1-P2 <<>> www.debian.org +dnssec @192.168.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49087
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.debian.org. IN A
;; Query time: 341 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Tue Dec 14 14:40:12 2010
;; MSG SIZE rcvd: 43
The excuse in the servers syslog:
Dec 14 14:40:11 muli3 named[14985]: validating @0xb98d51b0: www.debian.org A: no valid signature found
Dec 14 14:40:11 muli3 named[14985]: no valid RRSIG resolving 'www.debian.org/A/IN': 195.20.242.125#53
Dec 14 14:40:11 muli3 named[14985]: validating @0xb98d51b0: www.debian.org A: no valid signature found
Dec 14 14:40:11 muli3 named[14985]: no valid RRSIG resolving 'www.debian.org/A/IN': 82.195.75.105#53
Dec 14 14:40:11 muli3 named[14985]: validating @0xb98d51b0: www.debian.org A: no valid signature found
Dec 14 14:40:11 muli3 named[14985]: no valid RRSIG resolving 'www.debian.org/A/IN': 206.12.19.113#53
With checking disabled:
# dig www.debian.org +cd +dnssec @192.168.0.1
; <<>> DiG 9.7.1-P2 <<>> www.debian.org +cd +dnssec @192.168.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14886
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 13
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.debian.org. IN A
;; ANSWER SECTION:
www.debian.org. 132 IN A 213.129.232.18
www.debian.org. 132 IN A 141.76.2.5
www.debian.org. 132 IN RRSIG A 5 3 300 20110111094829 20101214094829 38208 www.debian.org. AR+irfLzNRWYgbJwp4Nf6M1o3xpANStnSMNQ7iechFhX9YdDUgx7vHLl 4/mjM6RbyHJiCyz5supU4ubuWT5QxjvG6IE/HgoimiEjq4XsP7ANSEdF 1B3y270gBxn+tO2ZDfNwLdob9k3AXJnyOVUq9cPVaa8ZcNZ8rhJ04JLF 3i3E9AphlUywmQPTNTCEtOoV
<cut authority and additional section>
;; Query time: 28 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Tue Dec 14 14:38:22 2010
;; MSG SIZE rcvd: 1760
When I'm validating myself (dig +sigchase …) using the DNSKEY found for
debian.org, I can validate the answers (tested for ftp, but expect the
same for www).
--
Heiko :: dresden : linux : SCHLITTERMAN.de
GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B
Attachment:
signature.asc
Description: Digital signature