[Pdns-dev] PowerDNSSEC real early version available for testing!
Leen Besselink
leen at consolejunkie.net
Thu Apr 22 09:10:21 CEST 2010
On 04/22/2010 07:45 AM, bert hubert wrote:
> On Thu, Apr 22, 2010 at 02:21:53AM +0200, Leen Besselink wrote:
>
>> Hi Bert,
>> It's really good to see you are making progress.
>>
> Thanks!
>
>
>> When I tested this on Ubuntu Karmic everything seemed to work,
>> but dig did not say OK.
>>
> Make sure you copy paste the correct DNSKEY, not the one from the website,
> but the one from 'pdnssec'!
>
>
>> I'm still new to DNSSEC so I may have done something wrong, I can
>> send you the keys-directory, a pcap, version-information, etc. if you
>> think it's related to Ubuntu Karmic.
>>
> Otherwise, see if you can use the excellent 'drill' tool from NLNetLabs ldns
> project. It may provide a lot better output than dig.
>
>
>> But first I want to give it an other go tomorrow and see if I can
>> understand the cause myself.
>>
OK, it works with the server/pdnssec which was compiled on Debian, but
not with the server/pdnssec compiled on Ubuntu Karmic.
Even when I copy the keys-directory and trusted-keys to the Ubuntu
Karmic installation and even when I run dig from Debian.
So I think it's something in pdn-server on Karmic. :-(
I did one thing different, I did a make install on the Ubuntu Karmic
machine, which for this test wasn't really necessary.
The Ubuntu machine is my desktop, the Debian machine is a pretty clean
virtualmachine.
Because this is what I get on Ubuntu Karmic:
(I run it on port 53 at this point)
dig +multiline +dnssec +sigchase +trusted-key=./trusted-keys -t A
powerdnssec.org @127.0.0.1
;; RRset to chase:
powerdnssec.org. 3600 IN A 212.123.148.70
;; RRSIG of the RRset to chase:
powerdnssec.org. 3600 IN RRSIG A 5 2 3600 20100506000000 (
20100422000000 54132 powerdnssec.org.
qHQXAp7yCjoxX3IpmnbV9uNplg8PAfjCEHCGPER1ohAf
QutXlUBfK8J1ygWHbpP8rHIosEP8z82xFx/RrbWpVYq9
G8rQ33JTilV09o3ELMTsuoqSRwoLrVt07E3nT1NxrGug
8VayqQYVUxwBvbXFMrgnJHzih/5dxxGKvjAAWl0= )
Launch a query to find a RRset of type DNSKEY for zone: powerdnssec.org.
;; DNSKEYset that signs the RRset to chase:
powerdnssec.org. 3600 IN DNSKEY 257 3 5 (
AwEAAY17+CkJ9YpQbZlf8YmneqJSLIXsUWl/i16uQBif
0cixbt0FMrjLiMhMQCy1gnlxDE0O9e+NBewvufbZAgfn
b/VefTmezCQAEuesGQs6G7Ss4A8nO9RLl6VrLz4TQ1r3
GXujT91GdfaNP8Ri+6vkLI3rNFkbs82QkFuwIYthuehS
+8AjVoug7VWHVUpO6+Tihx2Nwop9VV+7aO7VxQjS2s0Y
oSTMAkjtH1fAlj0kgnMSMHfSwzql/3F8h0hlsZsLSRIG
hCPEZ1M0U1u9zG3rpOgMrKe2Rl3nvVhASCRFuJHTcnzD
sdQ5unD7ZkQkHIsu6fYALNIlue62j8ho/PoDVIk=
) ; key id = 36478
3600 IN DNSKEY 256 3 5 (
AwEAAYejY5DjXhAQdBrKu2VNmiBNOAbu2Mm14GFKMWBR
HHeJX6WyxtHDCYT+wNUU3AbG4ORYuAFOFK5jHxxaM7d5
QQAOJiR736HVPHSdUtRw8q9KKAvXQCR7hHrvucDZFvuI
UaCMFFTujCHtIb8dUXa4MH/7UMoO9QHyA4ZBplGNC9T9
) ; key id = 32530
3600 IN DNSKEY 256 3 5 (
AwEAAa964kXhFOmmdAHtd2fo4O/fEWr5QLZepe/glhT/
yLAKDWA3iFKQHFoppb9MEbPuH1KxoT5taExf/n1X7PFI
Y4TOpwoMjG9rRyPAdE8bYyYu+6koTXiM+leeNy6nho14
fVh6gPWicULvoAynEEXRhDJeyK46dPgFNKyEPWoh9kER
) ; key id = 54132
Launch a query to find a RRset of type RRSIG for zone: powerdnssec.org.
;; RRSIG for DNSKEY is missing to continue validation : FAILED
# and on port 5300 with drill:
drill -D -k trusted-keys -p 5300 powerdnssec.org @127.0.0.1 A IN
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 26297
;; flags: qr aa rd ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; powerdnssec.org. IN A
;; ANSWER SECTION:
powerdnssec.org. 3600 IN A 212.123.148.70
powerdnssec.org. 3600 IN RRSIG A 5 2 3600
20100506000000 20100422000000 54132 powerdnssec.org.
qHQXAp7yCjoxX3IpmnbV9uNplg8PAfjCEHCGPER1ohAfQutXlUBfK8J1ygWHbpP8rHIosEP8z82xFx/RrbWpVYq9G8rQ33JTilV09o3ELMTsuoqSRwoLrVt07E3nT1NxrGug8VayqQYVUxwBvbXFMrgnJHzih/5dxxGKvjAAWl0=
;{id = 54132}
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 3 msec
;; EDNS: version 0; flags: do ; udp: 2800
;; SERVER: 127.0.0.1
;; WHEN: Thu Apr 22 08:56:18 2010
;; MSG SIZE rcvd: 235
; powerdnssec.org. 3600 IN A 212.123.148.70
BOGUS by id = 36478, owner = powerdnssec.org.
> Good luck!
>
>
You too. :-)
More information about the Pdns-dev
mailing list