Stephane Bortzmeyer <bortzme...@nic.fr> (Di 14 Dez 2010 14:26:18 CET): > On Tue, Dec 14, 2010 at 02:18:44PM +0100, > Heiko Schlittermann <h...@schlittermann.de> wrote > a message of 46 lines which said: > > > Using a current lenny with bind9 I can't validate (www|ftp).debian.org > > anymore. > > Works for me (BIND on a lenny using dlv.isc.org). Note the ad bit: > > % dig +dnssec A www.debian.org > > ; <<>> DiG 9.6-ESV-R3 <<>> +dnssec A www.debian.org > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12253 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 13 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;www.debian.org. IN A > > ;; ANSWER SECTION: > www.debian.org. 300 IN A 141.76.2.5 > www.debian.org. 300 IN A 213.129.232.18 > www.debian.org. 300 IN RRSIG A 5 3 300 20110111094829 > 20101214094829 38208 www.debian.org. > AR+irfLzNRWYgbJwp4Nf6M1o3xpANStnSMNQ7iechFhX9YdDUgx7vHLl > 4/mjM6RbyHJiCyz5supU4ubuWT5QxjvG6IE/HgoimiEjq4XsP7ANSEdF > 1B3y270gBxn+tO2ZDfNwLdob9k3AXJnyOVUq9cPVaa8ZcNZ8rhJ04JLF > 3i3E9AphlUywmQPTNTCEtOoV > > What is the output of 'dig +cd +dnssec www.debian.org' on your case?
# dig www.debian.org +dnssec @192.168.0.1
; <<>> DiG 9.7.1-P2 <<>> www.debian.org +dnssec @192.168.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49087
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.debian.org. IN A
;; Query time: 341 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Tue Dec 14 14:40:12 2010
;; MSG SIZE rcvd: 43
The excuse in the servers syslog:
Dec 14 14:40:11 muli3 named[14985]: validating @0xb98d51b0: www.debian.org
A: no valid signature found
Dec 14 14:40:11 muli3 named[14985]: no valid RRSIG resolving
'www.debian.org/A/IN': 195.20.242.125#53
Dec 14 14:40:11 muli3 named[14985]: validating @0xb98d51b0: www.debian.org
A: no valid signature found
Dec 14 14:40:11 muli3 named[14985]: no valid RRSIG resolving
'www.debian.org/A/IN': 82.195.75.105#53
Dec 14 14:40:11 muli3 named[14985]: validating @0xb98d51b0: www.debian.org
A: no valid signature found
Dec 14 14:40:11 muli3 named[14985]: no valid RRSIG resolving
'www.debian.org/A/IN': 206.12.19.113#53
With checking disabled:
# dig www.debian.org +cd +dnssec @192.168.0.1
; <<>> DiG 9.7.1-P2 <<>> www.debian.org +cd +dnssec @192.168.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14886
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 13
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.debian.org. IN A
;; ANSWER SECTION:
www.debian.org. 132 IN A 213.129.232.18
www.debian.org. 132 IN A 141.76.2.5
www.debian.org. 132 IN RRSIG A 5 3 300
20110111094829 20101214094829 38208 www.debian.org.
AR+irfLzNRWYgbJwp4Nf6M1o3xpANStnSMNQ7iechFhX9YdDUgx7vHLl
4/mjM6RbyHJiCyz5supU4ubuWT5QxjvG6IE/HgoimiEjq4XsP7ANSEdF
1B3y270gBxn+tO2ZDfNwLdob9k3AXJnyOVUq9cPVaa8ZcNZ8rhJ04JLF
3i3E9AphlUywmQPTNTCEtOoV
<cut authority and additional section>
;; Query time: 28 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Tue Dec 14 14:38:22 2010
;; MSG SIZE rcvd: 1760
When I'm validating myself (dig +sigchase …) using the DNSKEY found for
debian.org, I can validate the answers (tested for ftp, but expect the
same for www).
--
Heiko :: dresden : linux : SCHLITTERMAN.de
GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B
signature.asc
Description: Digital signature
