I vote no, if someone is setting up or testing DNSSEC, let's not encourage them to use a broken dig option!
I tried using the following command and dig core dumped. Note: www is setup as a CNAME. dig +trusted-key=trusted-key.key +topdown +sigchase +multiline -ta www.tuxedo.net I was wondering if I had done something wrong with DNSSEC... But other tools show (I think) it looks ok. drill -TD -k ../trusted-key.key www.tuxedo.net # See footnote 1 http://dnsviz.net/d/www.tuxedo.net/dnssec/ And some more digging and I found: The option is not compiled in by default upstream because it is broken. See: https://lists.isc.org/pipermail/bind-users/2012-May/087779.html https://lists.isc.org/pipermail/bind-users/2012-May/087781.html dig +trusted-key=trusted-key.key +topdown +sigchase +multiline -ta com ... ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for com. with DNSKEY:30909: success ;; We are in a Grand Father Problem: See 2.2.1 in RFC 3568 ;; ERROR : com. is not a subdomain of: com. FAILED name.c:2151: REQUIRE(source->length > 0) failed, back trace #0 0x7f1a1cda5954 in ?? #1 0x7f1a1cda58ba in ?? #2 0x7f1a1d4a7bdc in ?? #3 0x7f1a1dc45f72 in ?? #4 0x7f1a1dc48397 in ?? #5 0x7f1a1dc4a3d2 in ?? #6 0x7f1a1cdc7af6 in ?? #7 0x7f1a1cb80182 in ?? #8 0x7f1a1c8acefd in ?? Aborted (core dumped) I also compiled bind-9.9.6-P1 to test if it was fixed in a newer release, and it is still broken. Footnote 1: Note drill is currently part of ldnsutils package and not unbound. https://www.nlnetlabs.nl/projects/drill/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1406729 Title: dig does not have a default trusted key To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1406729/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
