Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

To: debian-devel@lists.debian.org
Subject: Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?
From: Heiko Schlittermann <hs@schlittermann.de>
Date: Mon, 20 Dec 2010 13:46:23 +0100
Message-id: <[🔎] 20101220124623.GQ22461@jumper.schlittermann.de>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 87fwtuizjs.fsf@mid.deneb.enyo.de>
References: <[🔎] 20101214131844.GL22461@jumper.schlittermann.de> <[🔎] 20101214174249.GI30157@anguilla.noreply.org> <[🔎] 20101214192547.GT22461@jumper.schlittermann.de> <[🔎] 20101214193146.GM30157@anguilla.noreply.org> <[🔎] 20101214194047.GV22461@jumper.schlittermann.de> <[🔎] 20101214202935.GX22461@jumper.schlittermann.de> <[🔎] 20101214212503.GC22461@jumper.schlittermann.de> <[🔎] 87fwtuizjs.fsf@mid.deneb.enyo.de>

Florian Weimer <fw@deneb.enyo.de> (Sa 18 Dez 2010 21:41:43 CET):
> * Heiko Schlittermann:
> 
> > Could this somehow trigger this (unexpected) behaviour of a failing
> > validation? But why does it work for somebody (anybody?) else using this
> > version of bind? (output of the CHAOS version.bind query: "9.6-ESV-R3")
> 
> Obviously, it works for me, in quite a similar setup (consumer
> Internet from Deutsche Telekom, among other things).
> 
> Can you show us the output from:
> 
>   dig +cd +dnssec ftp.debian.org DS

; <<>> DiG 9.6-ESV-R3 <<>> +cd +dnssec ftp.debian.org DS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12843
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ftp.debian.org.			IN	DS

;; ANSWER SECTION:
ftp.debian.org.		3574	IN	DS	40396 5 2 94E9380BA08A219B09D754C922A920B7DC57FBC01D718195A4B9C3B3 EBE350EE
ftp.debian.org.		3574	IN	DS	40396 5 1 A32112A2E98C1AD75745609F9B7313B4DE95380B
ftp.debian.org.		3574	IN	RRSIG	DS 7 3 3600 20110111224900 20101214224900 42257 debian.org. iHNV5yTqrC8hShWErV90NwXGxQXBbWarj/7+UYpSg6NDqjX0CFXf8J21 x1B/YvhxDkUHpPwrq/YLhvVlx4E9mCvXqklyQsmmktQT4vU72qudJoJ7 cVCrwyUoFwWWtdvdJ1lwyjk/SXhOIHmzjexESUF/sHOT4rnrmmyhfRXp A1Ab8DfnbxoxTNvVZ/fjxDid

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 20 13:44:19 2010
;; MSG SIZE  rcvd: 313


>   dig +cd +dnssec ftp.debian.org DNSKEY

; <<>> DiG 9.6-ESV-R3 <<>> +cd +dnssec ftp.debian.org DNSKEY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57772
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ftp.debian.org.			IN	DNSKEY

;; ANSWER SECTION:
ftp.debian.org.		28800	IN	DNSKEY	256 3 5 AwEAAbKb7JLMdZbv5Ao/WndIcKiSajrEOzDggGF4JZGhkB/KD74sdZP4 Stx47dJqUCOoA2ULnN3vtovBZbUdOkTFi2cSNuyzt6r4WnSmSi+iVtth 4yTroUSirmT3dSQYU6Ouz6XhtqmwSL6kO94GHSg0rOYr2qDd0lu3uqs8 gOCt+H3WHb1R+kl6yvFT1eb7cbmknQ==
ftp.debian.org.		28800	IN	DNSKEY	256 3 5 AwEAAd2Q5QHO6rL3wGJET0d5foLUwiEZwXpRodq7j+70fKBTL5jEl6AB xpnt/zUHm62u1sYyDhv/mtB0q6cUKm6EnQ03WTiUU2n656fdjtaC+71D 2B8KYv4uVHxVya5lEaxIklGLJvSnPwClkClanrCeCf0ALqfC74nOAZzy sWJ4iDfIth4DX9gcRrNf7lwcShr+Vw==
ftp.debian.org.		28800	IN	DNSKEY	257 3 5 AwEAAanX1lSBuFPJX67wvJVJ81hkv1bV1BiqojH3pwdkxusxthvaLbGE bHWO4n3uY1gBhYw6ycRpyAUbjLE1NySzjpvfJY5KrLVPh1F89jyo9l16 nlevXODge/Y5+Q0lOZhNhTDkt+c/Xvf0WfnkWZZVYY3SAZpZP5FBdkpI idbyXKMF63JYkYoRSC5gaURYRy6NwJrhUXTRDPPRC0sf7sw1ganNodDy 6P7KqrWXdUOMBgFfHyQN3BmWjMRVdiY9N2+BnQ==
ftp.debian.org.		28800	IN	RRSIG	DNSKEY 5 3 28800 20110110133902 20101213133902 9783 ftp.debian.org. v0ug+Kxv8QeSHZg7doZQUnsbKrAnuegSGX+Nfe7BmezONMyXXnbH8TC/ CCw3qQBBSltEJY1ytyvicfQnCaHXDc1vDvR9e6kzjoFFJxnSpNKsZXkh HtTSuO9RwmwWHQocpv06AOcRL2HeNl6hQcRh+28HGq3bgWveuRASEgKD u9eHCuQqtSrk97ymRJzNArON
ftp.debian.org.		28800	IN	RRSIG	DNSKEY 5 3 28800 20110110133902 20101213133902 40396 ftp.debian.org. FenuaVpG8s5hjyRdyEmcAzXA/JtGsF7V1LqZeQZJ8pwlB6gidgCAUXDW wGjZBzzJl48LklxrSxyZDxdtN99/7lbDFgIEsmN5MabeQz6WCP2GBFq6 A/nQJzLpPnZTqhw5pgfqTCjEyvOEVembqrEX4nU7QzeuYON0p6Y2I49Z PHpurX20dxW7DoLtXjeduUF0uTFVk6ToKt4SOpWcUF3syUeoyLzza7S1 7VaeqLdi0L0u2CE907HQZKP1m3KaFWWN

;; Query time: 245 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 20 13:44:45 2010
;; MSG SIZE  rcvd: 1011


>   dig +cd +dnssec ftp.debian.org A

; <<>> DiG 9.6-ESV-R3 <<>> +cd +dnssec ftp.debian.org A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11161
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ftp.debian.org.			IN	A

;; ANSWER SECTION:
ftp.debian.org.		300	IN	A	130.89.149.226
ftp.debian.org.		300	IN	RRSIG	A 5 3 300 20110110133902 20101213133902 9783 ftp.debian.org. GiKr7xnrmvBIdRT5VYxHWXzMae9KhHo09Qyx1+l5l4YNbpIiUw3aIkGp MOjsyETYy6hGVontU14me77sUChtI8tzGg11w9YKJopM46rplnTINpX+ U+ZVFIJtWaAyvLkmzPG3iZ8worZsWNEyShsqfl3lYqGl4Ma4jDPJDeHB KRdZFsIu5DPns153XwHmsvCw

;; AUTHORITY SECTION:
ftp.debian.org.		3580	IN	NS	geo3.debian.org.
ftp.debian.org.		3580	IN	NS	geo2.debian.org.
ftp.debian.org.		3580	IN	NS	geo1.debian.org.
ftp.debian.org.		3600	IN	RRSIG	NS 5 3 3600 20110110133902 20101213133902 9783 ftp.debian.org. w/Tl/57AtBttNFpfNlC5uWm2sSJfcmppkY085gxdCfJ+Xngf9AHoYwpv +G5sCo0WUXcEnqLt1Dkox14n5iCt2YukV9k43nIWo1baUTjllWM8vijk r3wYDom+KDEFN+9haU7e618jo2f9Gw9wyJDX4FZpepkk7EwjqwB1sZeU nAIcWVM+FsdJfWPeIuo/a0m6

;; Query time: 62 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 20 13:45:05 2010
;; MSG SIZE  rcvd: 496

>   dig +cd +dnssec debian.org DNSKEY

; <<>> DiG 9.6-ESV-R3 <<>> +cd +dnssec debian.org DNSKEY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53095
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;debian.org.			IN	DNSKEY

;; ANSWER SECTION:
debian.org.		28800	IN	DNSKEY	256 3 7 AwEAAbY23+W8pitzG9iSHneRR7qyk4qPS1OJ430n8PknpBoIOCXGB2hb asUfTqtSs4bd53FWX28n96TMhvtmxaUcea9Co/w3ie3iuTrFGrxPX9PC EtW0THsG22SberyE0y8jIFQaQIWc+G0dncnVhqX6wl+zEqMBai5kOIic FP+gH0WQvqbimpeFl+ApRu88aACh9w==
debian.org.		28800	IN	DNSKEY	257 3 7 AwEAAbGPo9hCvX50aYSJjQWf5+t7GRRWPGrTIFIG80BrTT/JHUYRl53f uVU6t1k3pcAzTbL0gE67evH3c7JFofK+U7vBhKksELdIVe6udZXAKoxn vhA1p4gs9ZulCmXLI6zeCSGJtlJetqc1YxOmm/nTa9+CPokgfgw0ixBK 7vjW5HKuq4WZHnjLWD+OCQoD1EDtT6XlSr3hLDhYfM7Q5uHo8OjiWGZ9 ZCWn7n3o+3vDeQQYQH+4lDzO6XKLvLMEafh08w==
debian.org.		28800	IN	DNSKEY	256 3 7 AwEAAa3LMyBNCjxf4pfc2L1hPRY8a0i4TJBZjg61lU9yXDDPuWLAKlnk UhN1acJ+em6VV8UchUOxi99FsEHvouhWq9QvguLmCUQobbfR13zvioUk aYtlyKuEWZVnMq/Ymo7TXRNv8LBncrMKVDBlid+V3tRqjC57ViLf1Hsh QOFR1bjQrGjFtnhcsr9StBmxDxOkRw==
debian.org.		28800	IN	RRSIG	DNSKEY 7 2 28800 20110111224900 20101214224900 5283 debian.org. nQsPhNUcEyorPbIv5HRgP4T5CGGFCkL9FUY2UpeM8QPUa0mSAsq9W26y II86eUa0ykthFnIlslvutygOAz+ZnsDCs3yUl7Gfk5vyGmA0cntbcRct bwqlpQmJA9HUtkiuB/k5CpyQ93ql2C3mdgltNiuL+DStjBUEXg55Ltux 103I3Vwct6odGWve8UR1zz4cj+TnkJliC8fcKKH5p0o8dsqMJshhhLL4 N1dmjILzqSwWaXW04j9DmqtMaW/b7HWP
debian.org.		28800	IN	RRSIG	DNSKEY 7 2 28800 20110111224900 20101214224900 42257 debian.org. D1Xz1eiUp6bdqJdA7zqP7TWHv9STwhfy+CuOCVCjNdffWBYikNS2me9o xKduj8ky1+Kr+sj0RdrR8+rvjZ9qsSWVVJVGnTGrVI/RhwcmWQQAydhh AnNletC9jJJRenFP0b8hmFUKl9Y3QzVFaiMiOOQWBIRoRBitAF4LTjSH vJE3BWSVoT1l6lgDnw5ebvlr

;; Query time: 118 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 20 13:45:25 2010
;; MSG SIZE  rcvd: 999


-- 
Heiko :: dresden : linux : SCHLITTERMANN.de
GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?
  - From: Florian Weimer <fw@deneb.enyo.de>

References:
- Anybody else having problems w/ DNSSEC and ftp.debian.org?
  - From: Heiko Schlittermann <hs@schlittermann.de>
- Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?
  - From: Peter Palfrader <weasel@debian.org>
- Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?
  - From: Heiko Schlittermann <hs@schlittermann.de>
- Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?
  - From: Peter Palfrader <weasel@debian.org>
- Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?
  - From: Heiko Schlittermann <hs@schlittermann.de>
- Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?
  - From: Heiko Schlittermann <hs@schlittermann.de>
- Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?
  - From: Heiko Schlittermann <hs@schlittermann.de>
- Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: exim-using packages - are you relying on -C or -D options?
Next by Date: Re: Introducing the "Debian's Automated Code Analysis" (DACA) project
Previous by thread: Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?
Next by thread: Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?
Index(es):
- Date
- Thread