[Pdns-dev] PowerDNSSEC real early version available for testing!

Leen Besselink leen at consolejunkie.net
Thu Apr 22 09:10:21 CEST 2010


On 04/22/2010 07:45 AM, bert hubert wrote:
> On Thu, Apr 22, 2010 at 02:21:53AM +0200, Leen Besselink wrote:
>    
>> Hi Bert,
>> It's really good to see you are making progress.
>>      
> Thanks!
>
>    
>> When I tested this on Ubuntu Karmic everything seemed to work,
>> but dig did not say OK.
>>      
> Make sure you copy paste the correct DNSKEY, not the one from the website,
> but the one from 'pdnssec'!
>
>    
>> I'm still new to DNSSEC so I may have done something wrong, I can
>> send you the keys-directory, a pcap, version-information, etc. if you
>> think it's related to Ubuntu Karmic.
>>      
> Otherwise, see if you can use the excellent 'drill' tool from NLNetLabs ldns
> project. It may provide a lot better output than dig.
>
>    
>> But first I want to give it an other go tomorrow and see if I can
>> understand the cause myself.
>>      

OK, it works with the server/pdnssec which was compiled on Debian, but 
not with the server/pdnssec compiled on Ubuntu Karmic.

Even when I copy the keys-directory and trusted-keys to the Ubuntu 
Karmic installation and even when I run dig from Debian.

So I think it's something in pdn-server on Karmic. :-(

I did one thing different, I did a make install on the Ubuntu Karmic 
machine, which for this test wasn't really necessary.

The Ubuntu machine is my desktop, the Debian machine is a pretty clean 
virtualmachine.

Because this is what I get on Ubuntu Karmic:

(I run it on port 53 at this point)

dig +multiline +dnssec +sigchase +trusted-key=./trusted-keys -t A 
powerdnssec.org @127.0.0.1
;; RRset to chase:
powerdnssec.org.        3600 IN A 212.123.148.70


;; RRSIG of the RRset to chase:
powerdnssec.org.        3600 IN RRSIG A 5 2 3600 20100506000000 (
                                 20100422000000 54132 powerdnssec.org.
                                 
qHQXAp7yCjoxX3IpmnbV9uNplg8PAfjCEHCGPER1ohAf
                                 
QutXlUBfK8J1ygWHbpP8rHIosEP8z82xFx/RrbWpVYq9
                                 
G8rQ33JTilV09o3ELMTsuoqSRwoLrVt07E3nT1NxrGug
                                 8VayqQYVUxwBvbXFMrgnJHzih/5dxxGKvjAAWl0= )



Launch a query to find a RRset of type DNSKEY for zone: powerdnssec.org.

;; DNSKEYset that signs the RRset to chase:
powerdnssec.org.        3600 IN DNSKEY 257 3 5 (
                                 
AwEAAY17+CkJ9YpQbZlf8YmneqJSLIXsUWl/i16uQBif
                                 
0cixbt0FMrjLiMhMQCy1gnlxDE0O9e+NBewvufbZAgfn
                                 
b/VefTmezCQAEuesGQs6G7Ss4A8nO9RLl6VrLz4TQ1r3
                                 
GXujT91GdfaNP8Ri+6vkLI3rNFkbs82QkFuwIYthuehS
                                 
+8AjVoug7VWHVUpO6+Tihx2Nwop9VV+7aO7VxQjS2s0Y
                                 
oSTMAkjtH1fAlj0kgnMSMHfSwzql/3F8h0hlsZsLSRIG
                                 
hCPEZ1M0U1u9zG3rpOgMrKe2Rl3nvVhASCRFuJHTcnzD
                                 sdQ5unD7ZkQkHIsu6fYALNIlue62j8ho/PoDVIk=
                                 ) ; key id = 36478
                         3600 IN DNSKEY 256 3 5 (
                                 
AwEAAYejY5DjXhAQdBrKu2VNmiBNOAbu2Mm14GFKMWBR
                                 
HHeJX6WyxtHDCYT+wNUU3AbG4ORYuAFOFK5jHxxaM7d5
                                 
QQAOJiR736HVPHSdUtRw8q9KKAvXQCR7hHrvucDZFvuI
                                 
UaCMFFTujCHtIb8dUXa4MH/7UMoO9QHyA4ZBplGNC9T9
                                 ) ; key id = 32530
                         3600 IN DNSKEY 256 3 5 (
                                 
AwEAAa964kXhFOmmdAHtd2fo4O/fEWr5QLZepe/glhT/
                                 
yLAKDWA3iFKQHFoppb9MEbPuH1KxoT5taExf/n1X7PFI
                                 
Y4TOpwoMjG9rRyPAdE8bYyYu+6koTXiM+leeNy6nho14
                                 
fVh6gPWicULvoAynEEXRhDJeyK46dPgFNKyEPWoh9kER
                                 ) ; key id = 54132



Launch a query to find a RRset of type RRSIG for zone: powerdnssec.org.

;; RRSIG for DNSKEY  is missing  to continue validation : FAILED


# and on port 5300 with drill:


drill -D -k trusted-keys -p 5300 powerdnssec.org @127.0.0.1 A IN

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 26297
;; flags: qr aa rd ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; powerdnssec.org.     IN      A

;; ANSWER SECTION:
powerdnssec.org.        3600    IN      A       212.123.148.70
powerdnssec.org.        3600    IN      RRSIG   A 5 2 3600 
20100506000000 20100422000000 54132 powerdnssec.org. 
qHQXAp7yCjoxX3IpmnbV9uNplg8PAfjCEHCGPER1ohAfQutXlUBfK8J1ygWHbpP8rHIosEP8z82xFx/RrbWpVYq9G8rQ33JTilV09o3ELMTsuoqSRwoLrVt07E3nT1NxrGug8VayqQYVUxwBvbXFMrgnJHzih/5dxxGKvjAAWl0= 
;{id = 54132}

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 3 msec
;; EDNS: version 0; flags: do ; udp: 2800
;; SERVER: 127.0.0.1
;; WHEN: Thu Apr 22 08:56:18 2010
;; MSG SIZE  rcvd: 235
; powerdnssec.org.      3600    IN      A       212.123.148.70
BOGUS by id = 36478, owner = powerdnssec.org.


> Good luck!
>
>    

You too. :-)



More information about the Pdns-dev mailing list