Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

Heiko Schlittermann Mon, 20 Dec 2010 04:46:54 -0800

Florian Weimer <f...@deneb.enyo.de> (Sa 18 Dez 2010 21:41:43 CET):
> * Heiko Schlittermann:
> 
> > Could this somehow trigger this (unexpected) behaviour of a failing
> > validation? But why does it work for somebody (anybody?) else using this
> > version of bind? (output of the CHAOS version.bind query: "9.6-ESV-R3")
> 
> Obviously, it works for me, in quite a similar setup (consumer
> Internet from Deutsche Telekom, among other things).
> 
> Can you show us the output from:
> 
>   dig +cd +dnssec ftp.debian.org DS


; <<>> DiG 9.6-ESV-R3 <<>> +cd +dnssec ftp.debian.org DS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12843
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ftp.debian.org.                        IN      DS

;; ANSWER SECTION:
ftp.debian.org.         3574    IN      DS      40396 5 2 
94E9380BA08A219B09D754C922A920B7DC57FBC01D718195A4B9C3B3 EBE350EE
ftp.debian.org.         3574    IN      DS      40396 5 1 
A32112A2E98C1AD75745609F9B7313B4DE95380B
ftp.debian.org.         3574    IN      RRSIG   DS 7 3 3600 20110111224900 
20101214224900 42257 debian.org. 
iHNV5yTqrC8hShWErV90NwXGxQXBbWarj/7+UYpSg6NDqjX0CFXf8J21 
x1B/YvhxDkUHpPwrq/YLhvVlx4E9mCvXqklyQsmmktQT4vU72qudJoJ7 
cVCrwyUoFwWWtdvdJ1lwyjk/SXhOIHmzjexESUF/sHOT4rnrmmyhfRXp 
A1Ab8DfnbxoxTNvVZ/fjxDid

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 20 13:44:19 2010
;; MSG SIZE  rcvd: 313


>   dig +cd +dnssec ftp.debian.org DNSKEY

; <<>> DiG 9.6-ESV-R3 <<>> +cd +dnssec ftp.debian.org DNSKEY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57772
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ftp.debian.org.                        IN      DNSKEY

;; ANSWER SECTION:
ftp.debian.org.         28800   IN      DNSKEY  256 3 5 
AwEAAbKb7JLMdZbv5Ao/WndIcKiSajrEOzDggGF4JZGhkB/KD74sdZP4 
Stx47dJqUCOoA2ULnN3vtovBZbUdOkTFi2cSNuyzt6r4WnSmSi+iVtth 
4yTroUSirmT3dSQYU6Ouz6XhtqmwSL6kO94GHSg0rOYr2qDd0lu3uqs8 
gOCt+H3WHb1R+kl6yvFT1eb7cbmknQ==
ftp.debian.org.         28800   IN      DNSKEY  256 3 5 
AwEAAd2Q5QHO6rL3wGJET0d5foLUwiEZwXpRodq7j+70fKBTL5jEl6AB 
xpnt/zUHm62u1sYyDhv/mtB0q6cUKm6EnQ03WTiUU2n656fdjtaC+71D 
2B8KYv4uVHxVya5lEaxIklGLJvSnPwClkClanrCeCf0ALqfC74nOAZzy 
sWJ4iDfIth4DX9gcRrNf7lwcShr+Vw==
ftp.debian.org.         28800   IN      DNSKEY  257 3 5 
AwEAAanX1lSBuFPJX67wvJVJ81hkv1bV1BiqojH3pwdkxusxthvaLbGE 
bHWO4n3uY1gBhYw6ycRpyAUbjLE1NySzjpvfJY5KrLVPh1F89jyo9l16 
nlevXODge/Y5+Q0lOZhNhTDkt+c/Xvf0WfnkWZZVYY3SAZpZP5FBdkpI 
idbyXKMF63JYkYoRSC5gaURYRy6NwJrhUXTRDPPRC0sf7sw1ganNodDy 
6P7KqrWXdUOMBgFfHyQN3BmWjMRVdiY9N2+BnQ==
ftp.debian.org.         28800   IN      RRSIG   DNSKEY 5 3 28800 20110110133902 
20101213133902 9783 ftp.debian.org. 
v0ug+Kxv8QeSHZg7doZQUnsbKrAnuegSGX+Nfe7BmezONMyXXnbH8TC/ 
CCw3qQBBSltEJY1ytyvicfQnCaHXDc1vDvR9e6kzjoFFJxnSpNKsZXkh 
HtTSuO9RwmwWHQocpv06AOcRL2HeNl6hQcRh+28HGq3bgWveuRASEgKD 
u9eHCuQqtSrk97ymRJzNArON
ftp.debian.org.         28800   IN      RRSIG   DNSKEY 5 3 28800 20110110133902 
20101213133902 40396 ftp.debian.org. 
FenuaVpG8s5hjyRdyEmcAzXA/JtGsF7V1LqZeQZJ8pwlB6gidgCAUXDW 
wGjZBzzJl48LklxrSxyZDxdtN99/7lbDFgIEsmN5MabeQz6WCP2GBFq6 
A/nQJzLpPnZTqhw5pgfqTCjEyvOEVembqrEX4nU7QzeuYON0p6Y2I49Z 
PHpurX20dxW7DoLtXjeduUF0uTFVk6ToKt4SOpWcUF3syUeoyLzza7S1 
7VaeqLdi0L0u2CE907HQZKP1m3KaFWWN

;; Query time: 245 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 20 13:44:45 2010
;; MSG SIZE  rcvd: 1011


>   dig +cd +dnssec ftp.debian.org A

; <<>> DiG 9.6-ESV-R3 <<>> +cd +dnssec ftp.debian.org A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11161
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ftp.debian.org.                        IN      A

;; ANSWER SECTION:
ftp.debian.org.         300     IN      A       130.89.149.226
ftp.debian.org.         300     IN      RRSIG   A 5 3 300 20110110133902 
20101213133902 9783 ftp.debian.org. 
GiKr7xnrmvBIdRT5VYxHWXzMae9KhHo09Qyx1+l5l4YNbpIiUw3aIkGp 
MOjsyETYy6hGVontU14me77sUChtI8tzGg11w9YKJopM46rplnTINpX+ 
U+ZVFIJtWaAyvLkmzPG3iZ8worZsWNEyShsqfl3lYqGl4Ma4jDPJDeHB 
KRdZFsIu5DPns153XwHmsvCw

;; AUTHORITY SECTION:
ftp.debian.org.         3580    IN      NS      geo3.debian.org.
ftp.debian.org.         3580    IN      NS      geo2.debian.org.
ftp.debian.org.         3580    IN      NS      geo1.debian.org.
ftp.debian.org.         3600    IN      RRSIG   NS 5 3 3600 20110110133902 
20101213133902 9783 ftp.debian.org. 
w/Tl/57AtBttNFpfNlC5uWm2sSJfcmppkY085gxdCfJ+Xngf9AHoYwpv 
+G5sCo0WUXcEnqLt1Dkox14n5iCt2YukV9k43nIWo1baUTjllWM8vijk 
r3wYDom+KDEFN+9haU7e618jo2f9Gw9wyJDX4FZpepkk7EwjqwB1sZeU 
nAIcWVM+FsdJfWPeIuo/a0m6

;; Query time: 62 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 20 13:45:05 2010
;; MSG SIZE  rcvd: 496

>   dig +cd +dnssec debian.org DNSKEY

; <<>> DiG 9.6-ESV-R3 <<>> +cd +dnssec debian.org DNSKEY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53095
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;debian.org.                    IN      DNSKEY

;; ANSWER SECTION:
debian.org.             28800   IN      DNSKEY  256 3 7 
AwEAAbY23+W8pitzG9iSHneRR7qyk4qPS1OJ430n8PknpBoIOCXGB2hb 
asUfTqtSs4bd53FWX28n96TMhvtmxaUcea9Co/w3ie3iuTrFGrxPX9PC 
EtW0THsG22SberyE0y8jIFQaQIWc+G0dncnVhqX6wl+zEqMBai5kOIic 
FP+gH0WQvqbimpeFl+ApRu88aACh9w==
debian.org.             28800   IN      DNSKEY  257 3 7 
AwEAAbGPo9hCvX50aYSJjQWf5+t7GRRWPGrTIFIG80BrTT/JHUYRl53f 
uVU6t1k3pcAzTbL0gE67evH3c7JFofK+U7vBhKksELdIVe6udZXAKoxn 
vhA1p4gs9ZulCmXLI6zeCSGJtlJetqc1YxOmm/nTa9+CPokgfgw0ixBK 
7vjW5HKuq4WZHnjLWD+OCQoD1EDtT6XlSr3hLDhYfM7Q5uHo8OjiWGZ9 
ZCWn7n3o+3vDeQQYQH+4lDzO6XKLvLMEafh08w==
debian.org.             28800   IN      DNSKEY  256 3 7 
AwEAAa3LMyBNCjxf4pfc2L1hPRY8a0i4TJBZjg61lU9yXDDPuWLAKlnk 
UhN1acJ+em6VV8UchUOxi99FsEHvouhWq9QvguLmCUQobbfR13zvioUk 
aYtlyKuEWZVnMq/Ymo7TXRNv8LBncrMKVDBlid+V3tRqjC57ViLf1Hsh 
QOFR1bjQrGjFtnhcsr9StBmxDxOkRw==
debian.org.             28800   IN      RRSIG   DNSKEY 7 2 28800 20110111224900 
20101214224900 5283 debian.org. 
nQsPhNUcEyorPbIv5HRgP4T5CGGFCkL9FUY2UpeM8QPUa0mSAsq9W26y 
II86eUa0ykthFnIlslvutygOAz+ZnsDCs3yUl7Gfk5vyGmA0cntbcRct 
bwqlpQmJA9HUtkiuB/k5CpyQ93ql2C3mdgltNiuL+DStjBUEXg55Ltux 
103I3Vwct6odGWve8UR1zz4cj+TnkJliC8fcKKH5p0o8dsqMJshhhLL4 
N1dmjILzqSwWaXW04j9DmqtMaW/b7HWP
debian.org.             28800   IN      RRSIG   DNSKEY 7 2 28800 20110111224900 
20101214224900 42257 debian.org. 
D1Xz1eiUp6bdqJdA7zqP7TWHv9STwhfy+CuOCVCjNdffWBYikNS2me9o 
xKduj8ky1+Kr+sj0RdrR8+rvjZ9qsSWVVJVGnTGrVI/RhwcmWQQAydhh 
AnNletC9jJJRenFP0b8hmFUKl9Y3QzVFaiMiOOQWBIRoRBitAF4LTjSH 
vJE3BWSVoT1l6lgDnw5ebvlr

;; Query time: 118 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 20 13:45:25 2010
;; MSG SIZE  rcvd: 999


-- 
Heiko :: dresden : linux : SCHLITTERMANN.de
GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B

signature.asc
Description: Digital signature

Re: Anybody else having problems w/ DNSSEC and ftp.debian.org?

Reply via email to