Quantcast
Channel: Network – Weberblog.net
Viewing all articles
Browse latest Browse all 253

Dive into delv: DNSSEC Validation

$
0
0

If you’re into DNSSEC, you’ll probably have to troubleshoot or at least to verify it. While there are some good online tools such as DNSViz, there is also a command-line tool to test DNSSEC signatures onsite: delv.

delv will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records to establish a chain of trust for DNSSEC validation. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding.

Citing the manpage again:

By default, responses are validated using built-in DNSSEC trust anchor for the root zone (“.”). Records returned by delv are either fully validated or were not signed. If validation fails, an explanation of the failure is included in the output; the validation process can be traced in detail. Because delv does not rely on an external server to carry out validation, it can be used to check the validity of DNS responses in environments where local name servers may not be trustworthy.
This blogpost is part of a series about DNSSEC. Refer to this list for all articles.

Without any options, delv outputs the A record and the corresponding RRSIG (if present), while it fully validates the DNSSEC signature. A simple call looks like this, while for IPv6 addresses you have to specify the type with AAAA. Note the “fully validated” line since the following hostnames are DNSSEC signed:

weberjoh@vm22-lx2:~$ delv @2001:470:765b::d034:53 lx.weberlab.de
; fully validated
lx.weberlab.de.         54      IN      A       193.24.227.230
lx.weberlab.de.         54      IN      RRSIG   A 10 3 60 20191118181337 20191019175246 36935 weberlab.de. O6uzfPD91EkCiPPYWrfAx3Jy9gjEUT5MwRqtGEjmqv90g6OaDqooMuZY cXe8Qtf9ZFrw7NRoBgK4BQec6lN3Qvg/ul7i4iXtX60TwnDm1QbvGBeP q2U6k9hhv2nEL646x0tDYbIkz1sCPbHxYTo8ARAZG4sI6aHU8POO2SOq FFfJOuRUTuKDWoinJ5qmxm75g3ZeqGAAWhTNsi/Ws2VBNAsMIR0EAe+s hrnmOpU83p+2zhaAFYltS3OdEmvjV1C5B+ncbl1TECREQ/zgrHTdJvoP Rn2twl1OvdWDGGtE6tufU+WfzKhI7IS0r2PAAlkYBw6mN1G2yuU3CBza 5BLnZA==
weberjoh@vm22-lx2:~$ delv @2001:470:765b::d034:53 lx.weberlab.de aaaa
; fully validated
lx.weberlab.de.         51      IN      AAAA    2001:470:765b::b15:22
lx.weberlab.de.         51      IN      RRSIG   AAAA 10 3 60 20191118190408 20191019182659 36935 weberlab.de. B474s0nkDDNNTErDbN4iBVttagxt+Nj9yCSiPm3kfvuOKPwDoFQ9SjUU 1DrQ4/E5phz+eDrHZqM9PX37KtwKjos72mdddS0a7r2MsAUrNqGrVMeQ 5OqYMw+XWxN1mvCA4t1wn43z0T/WbAbekCL+hWV5qjW9Oe00wa1pqJRn rb+yijbYlwFom09UxHnBcN9w+tpHbr3ZdJXKOZCSp/6mJQXu+BSSTTji bki4dbbhR53Hm/NbIDYAnkp7hGX+PKmMz3mKCGGxfNcH4kF8J9d6NvxO P3EtR9169pQK3CJt7Oa4w7B4EEXhBe9m/GMIz1b7oSCj1/0AvuwEEzN+ L7dtKg==

For hostnames that aren’t signed, delv outputs this “unsigned answer”:

weberjoh@vm22-lx2:~$ delv @2001:470:765b::d034:53 heise.de
; unsigned answer
heise.de.               3200171710 IN   A       193.99.144.80
weberjoh@vm22-lx2:~$ delv @2001:470:765b::d034:53 heise.de aaaa
; unsigned answer
heise.de.               3200171710 IN   AAAA    2a02:2e0:3fe:1001:302::

Traces

Now, this is what delv is about: a couple of trace options:

+[no]rtrace     (Trace resolver fetches)
+[no]mtrace     (Trace messages received)
+[no]vtrace     (Trace validation process)

Note: Unlike dig, which does iterative DNS queries when using the +trace option, delv always uses the given recursive DNS server for each of its queries.

+rtrace

Just to list all queried RRs; no further DNSSEC details:

weberjoh@vm22-lx2:~$ delv @2001:470:765b::d034:53 lx.weberlab.de +rtrace
;; fetch: lx.weberlab.de/A
;; fetch: weberlab.de/DNSKEY
;; fetch: weberlab.de/DS
;; fetch: de/DNSKEY
;; fetch: de/DS
;; fetch: ./DNSKEY
; fully validated
lx.weberlab.de.         60      IN      A       193.24.227.230
lx.weberlab.de.         60      IN      RRSIG   A 10 3 60 20191118181337 20191019175246 36935 weberlab.de. O6uzfPD91EkCiPPYWrfAx3Jy9gjEUT5MwRqtGEjmqv90g6OaDqooMuZY cXe8Qtf9ZFrw7NRoBgK4BQec6lN3Qvg/ul7i4iXtX60TwnDm1QbvGBeP q2U6k9hhv2nEL646x0tDYbIkz1sCPbHxYTo8ARAZG4sI6aHU8POO2SOq FFfJOuRUTuKDWoinJ5qmxm75g3ZeqGAAWhTNsi/Ws2VBNAsMIR0EAe+s hrnmOpU83p+2zhaAFYltS3OdEmvjV1C5B+ncbl1TECREQ/zgrHTdJvoP Rn2twl1OvdWDGGtE6tufU+WfzKhI7IS0r2PAAlkYBw6mN1G2yuU3CBza 5BLnZA==

+mtrace

Caution: Same as rtrace but with the full content of all RRs:

weberjoh@vm22-lx2:~$ delv @2001:470:765b::d034:53 lx.weberlab.de +mtrace
;; fetch: lx.weberlab.de/A
;; received packet from 2001:470:765b::d034:53#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  30196
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 2a7668e6bc6d6f32b9ea8d845dbadf330310da784b848967
;; QUESTION SECTION:
;lx.weberlab.de.                        IN      A

;; ANSWER SECTION:
;lx.weberlab.de.                60      IN      A       193.24.227.230
;lx.weberlab.de.                60      IN      RRSIG   A 10 3 60 (
;                                               20191118181337 20191019175246 36935 weberlab.de.
;                                               O6uzfPD91EkCiPPYWrfAx3Jy9gjE
;                                               UT5MwRqtGEjmqv90g6OaDqooMuZY
;                                               cXe8Qtf9ZFrw7NRoBgK4BQec6lN3
;                                               Qvg/ul7i4iXtX60TwnDm1QbvGBeP
;                                               q2U6k9hhv2nEL646x0tDYbIkz1sC
;                                               PbHxYTo8ARAZG4sI6aHU8POO2SOq
;                                               FFfJOuRUTuKDWoinJ5qmxm75g3Ze
;                                               qGAAWhTNsi/Ws2VBNAsMIR0EAe+s
;                                               hrnmOpU83p+2zhaAFYltS3OdEmvj
;                                               V1C5B+ncbl1TECREQ/zgrHTdJvoP
;                                               Rn2twl1OvdWDGGtE6tufU+WfzKhI
;                                               7IS0r2PAAlkYBw6mN1G2yuU3CBza
;                                               5BLnZA== )


;; fetch: weberlab.de/DNSKEY
;; received packet from 2001:470:765b::d034:53#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  54483
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 2a7668e6bc6d6f32690cb5845dbadf34bcae2714094a31c6
;; QUESTION SECTION:
;weberlab.de.                   IN      DNSKEY

;; ANSWER SECTION:
;weberlab.de.           59      IN      DNSKEY  257 3 10 (
;                                               AwEAAd3v/e0irXYKOwtYEB3VPe7z
;                                               99qvi5le9/y1XXyplp5y/5xaqrm/
;                                               relG8pgx8GsNW2IgviJKAJ6UiU45
;                                               ERKoH+fz2qf2SUFHFWwkweiWyLZ4
;                                               EZHhowviCEx94P4OswNKXmdYHe38
;                                               rlHPa+3OypW9gYfR9lhCKK3neCPq
;                                               8/aFFsTTI7dQ+Q2kERWiCMCybl4W
;                                               OwsBo/RlnPM4yufMKIlABiM5NWQP
;                                               NmI6jYzAYpYoyUhd9HnnIIDlNQ89
;                                               HpXQdFmysMraXYb7qDOoOEiOodtt
;                                               KH0y/vtJ2SRU05RF4AEumacIUzAi
;                                               5LL2cMQxC7t7rlDI4X42NRfOLAqG
;                                               uOeclFjzqz3OdAJWeg/AAnSbb02A
;                                               GCkQ370TX1hWveAXt6xpPWOLgHXS
;                                               LIF/lz+wl+Dm8ZNWDnn5zEJuEj3x
;                                               ova1g8zmRXJOmqA6VhGqewxF8c+y
;                                               KeNEOHz4X4/RLmWHIuEbvboP00Dk
;                                               5A9bhyZGVsytOJg+NwhFQtvBWLmD
;                                               82FFtfSt2vmbFFNwAZOnRZWJOG9L
;                                               7TFcGIm1OEULmohUyFLsBGMXDFOu
;                                               1k0o6pqm495tsBuMyJNpfdQoPwOk
;                                               UpsKi6jmNq6vRjvvNiJbcFylTQrq
;                                               HGTGuOopuUsBbUXj/nOr4I6j42k6
;                                               GDIuTyLDkaVrdrxXmGnfNnStdqWm
;                                               vHXo/YFwdls9bcT7
;                                               ) ; KSK; alg = RSASHA512 ; key id = 13179
;weberlab.de.           59      IN      DNSKEY  256 3 10 (
;                                               AwEAAdBU3CjxUKw7SeYza7cxyq/X
;                                               g3znVQsMzuF/UeLaigOubtJHhxhL
;                                               +m129IxQkTKo8JRIXcKXD+aVizti
;                                               ml8+8BPCXFNPftFpdFCzBRNGHj/c
;                                               a1g/Flck6v5avafB/hGqbWKY2LEG
;                                               Kb5ktYWGj8JB0mrKGqDZVPyieC0d
;                                               YVv02iOaOvUhdl7QtgVybR3V6gHl
;                                               hoG0BxG+GbjUp+NyPClbuMOIwflb
;                                               VGB5946PyQGQgnGNX2L1MHumOaYC
;                                               /D3UnyzQZNMmqj85GwDNPwEeDfLq
;                                               6wm1BUfx7MwwcEVuO2B0YmUyiPiS
;                                               fUoGTwm2P1nGNMhlYij3bY9VvyxC
;                                               qPQnK0s5Tr0=
;                                               ) ; ZSK; alg = RSASHA512 ; key id = 36935
;weberlab.de.           59      IN      RRSIG   DNSKEY 10 2 60 (
;                                               20191118174444 20191019171548 13179 weberlab.de.
;                                               jyokkdFxqKkmRbjWJlAJXV9T+yZ7
;                                               se5wtJadV1NH8OsWZfLO35thOQVR
;                                               c5ohF7IiS5wSokTou1UGF2o9tZYO
;                                               Kq+VCxpw2o+jWoPPss+e2AVVVjdE
;                                               5dqTf4cF5WItPoqOyTthO2/QUPB4
;                                               wJcPXBSH0PkiAhfsJZ5Ijc1dsY8V
;                                               lwioaaIJwQuGILGzhNzqBJbQFMHd
;                                               63gt/BIVk9OPRomG2Syvp9hiIAid
;                                               PJRrRK05XNzH994L6aBwAwh44H1I
;                                               KUl5BTgQcOpUoTEBt/3ilQeZ+qn/
;                                               oa9GTGM1mUenlbNytZvm4iSS0ty7
;                                               X1uEusyfOp5wkDQCOafjSDL6j3DY
;                                               u3y4E1Oe33F8/yqWFfdW/q1yPhXf
;                                               GjP4SxF0NwRbfUgUTFIHHqs5W107
;                                               VlXOgQgzw61cBE0pTSxbj/CEt5m0
;                                               VRsPterEPvnL4ZKcdNQ//f1ekMxu
;                                               vIL1n/Yu99lYhM1zIsnRBCj35mLQ
;                                               nDVyzHnQZNhjrrPPPBBBlS9eDs1u
;                                               0jCXruo5fbbkzjhYFKPBTKsYPm8Q
;                                               0hj4c5UU5NDCHTMNIwFV3Pxs9/Hx
;                                               eFswh5nsmZ0LAbhVnqNx+wvHwE1A
;                                               +v337G3t1Ze8X8UNwY7qD/aTdqr3
;                                               YE8k8QlWXXWhCrM9uoifgCPbTsvQ
;                                               cMsf+AR7+Fe6Gnpkk0VtBAAK1c39
;                                               7MP7EfveDrM= )
;weberlab.de.           59      IN      RRSIG   DNSKEY 10 2 60 (
;                                               20191118174444 20191019171548 36935 weberlab.de.
;                                               MJBQuD2M2bShRuzeYqFkt9YxirqJ
;                                               VaVgedU71a19Di8xaVoQ5DWIyVjM
;                                               rta5018E25Cc9TfULoTUUExx/1h/
;                                               5akGteAw127d0AGyxG7Biw4+6CHl
;                                               h9Speqwh90xv4JEwRgvpQAKo5HI7
;                                               0Q33Rq6y2E640nvjnXDkyjRGKfEN
;                                               /DZDnMT8jfau2nQhH5pYe2UooDRy
;                                               J0P0WB7yoSCTa/HvvLcBdKhqg5FR
;                                               k6TKhOGUZId/T7iKYKWjAiihPZJ6
;                                               B0kY/4ge7Aj1m2F+nrSiDGEWNLHS
;                                               zI8q2nhCtSSo1LcJbjslhh66hGDr
;                                               cZpPOvpGzitDWoyHVEG/xcvOD8wx
;                                               r9yCDQ== )


;; fetch: weberlab.de/DS
;; received packet from 2001:470:765b::d034:53#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  37362
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 2a7668e6bc6d6f32bf43dcfa5dbadf34d207d999ffa06faa
;; QUESTION SECTION:
;weberlab.de.                   IN      DS

;; ANSWER SECTION:
;weberlab.de.           84390   IN      DS      13179 10 2 (
;                                               1D2907B0240797CA97339E036C76
;                                               52923C768CB80241E13139BFB4B9
;                                               C7359D1C )
;weberlab.de.           84390   IN      RRSIG   DS 8 2 86400 (
;                                               20191107110105 20191031110105 26008 de.
;                                               rcpt+LH1xg05q2MPGLTQFA/SF99g
;                                               vU4yxPFlve3IW8t7A/oXLEhcTCAn
;                                               6dFSS3THTZS8GA3pJaT/OC820uRZ
;                                               kgFTJwXUDyha+pUV7FvnDNQ+rv+2
;                                               YHJa28obiRnn0MVOz5fiotj9DtxH
;                                               5AMCPmZR+85w8O/+Q93lOWd8Fz8+
;                                               tJc= )


;; fetch: de/DNSKEY
;; received packet from 2001:470:765b::d034:53#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   4031
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 2a7668e6bc6d6f32bafb68f85dbadf34185cf94965959e46
;; QUESTION SECTION:
;de.                            IN      DNSKEY

;; ANSWER SECTION:
;de.                    5177    IN      DNSKEY  257 3 8 (
;                                               AwEAAaZEsxM26e8MgLuWsLAeRd7B
;                                               zNdJjvhfGbqQ1xxtYd4TPPqYr7Qc
;                                               K9Em18VyYEnjqXOqVWBuOhCWnrij
;                                               P5GiumIliap+LerHjTk3QCgim1qv
;                                               w3k7UFOgwMe8yOl7hghG8Nbgw6Un
;                                               VfmUD71TaGSwj1C5EO2guiXZkFPU
;                                               p2UzmUmoe5EWwtzCni7L0RDl5MaR
;                                               VhjUBEkPrAVI603GDTuwtRKZLTiy
;                                               fc3Qmq/u83/6Knxot5pHp3reRcsp
;                                               0vk2G+RQubgDKsmaXCql4mPzR911
;                                               Di68vwbBfSyLZ0EOwVkrO7VJgr/R
;                                               JJ37JlydfQfGmQ3Dkvw1h8ifZhRC
;                                               8oOkv8ynUXM=
;                                               ) ; KSK; alg = RSASHA256 ; key id = 39227
;de.                    5177    IN      DNSKEY  256 3 8 (
;                                               AwEAAcL2Tu+smk2pM7O8uWv0rOwY
;                                               vqq6KHOtvek7IXi3wylUOV8K0jmi
;                                               kKI5VoFCQ1DK4CgZzL3B0R1BSUbJ
;                                               hz6onfnHQo2yK21JYaejwEojT2Ny
;                                               hWYkzd3MPRePKlkxJ2iiytyoytlw
;                                               wCBzqBRuMqb77YS03k6pyhw4OUTb
;                                               Ll8zh2jP
;                                               ) ; ZSK; alg = RSASHA256 ; key id = 26008
;de.                    5177    IN      RRSIG   DNSKEY 8 1 7200 (
;                                               20191121120000 20191031120000 39227 de.
;                                               aTHqfYkXo4meuL0wqfxFW4ctium/
;                                               ihWEFDAhrYTCN2Mgj+6sXLvsqn9D
;                                               zkRKFRsFjT4pEeH90yA+MPL3fmbn
;                                               RYok1mOT7LHFGBPHGOKVR8VGgC6Q
;                                               RHiPWX0q1DhXe+EFl2Fa/h4YAY6N
;                                               BrYStjPVUJZR5Slo0lCLYrZ/V1hE
;                                               mQ6QAPjEEWxvbWm5R+NlTFmqPbBx
;                                               Ut7q4Re9cq6u7F+bpK8LkgbXurX6
;                                               Jm0XmAkJUeNd0eeyoJ3toU4xK1PW
;                                               /R6gdCmsFT3lokWqUyz2gCRJKUu/
;                                               T1Fy5YN27g6KHULfwba2OwOAxuxC
;                                               TlrWMJXYjLWpL0zbbhDsPeS816N9
;                                               KKxdlA== )


;; fetch: de/DS
;; received packet from 2001:470:765b::d034:53#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  23429
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 2a7668e6bc6d6f32d8fa52405dbadf347d3a280df7e6c4de
;; QUESTION SECTION:
;de.                            IN      DS

;; ANSWER SECTION:
;de.                    84377   IN      DS      45580 8 2 (
;                                               918C32E2F12211766BE6226674F4
;                                               47458F2259B9A0D87B44D29D55AF
;                                               ECA6B2E1 )
;de.                    84377   IN      DS      39227 8 2 (
;                                               AAB73083B9EF70E4A5E94769A418
;                                               AC12E887FC3C0875EF206C3451DC
;                                               40B6C4FA )
;de.                    84377   IN      RRSIG   DS 8 1 86400 (
;                                               20191113050000 20191031040000 22545 .
;                                               EF5lH/f+m6Ii8dC7XbHruYqZI5mX
;                                               xZXfM4dLU+f04hvHZXNoAwgn9BIv
;                                               Zeka5OkSd2TahwNC5WZDhemdc6hV
;                                               aI32wsnwNAfcHw45ehoWuNLK/pem
;                                               iyCKrDG2l1baHFFXM7YdwKqcBqVI
;                                               54k9AClB2MmnisuR+9Fr6WaZRHjI
;                                               24QLYajONGOaEX1Q4U3LhQrUtzhM
;                                               Qx7dmaqYVDXvKMKtWV+Xprkxr8kx
;                                               pKpAyKjE/P+WTiFij5LcSvKBQMBm
;                                               uF+ZcG/Gec4qNaVYxTnFuaFde6A3
;                                               gCfCBB8C4lpWnK2YSUlF1DWYm1Lj
;                                               aBt1KAoSP++MYXSp8XdDo2plCo3n
;                                               bdzzvA== )


;; fetch: ./DNSKEY
;; received packet from 2001:470:765b::d034:53#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  41299
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 2a7668e6bc6d6f32f4b05fc35dbadf343914babf37d03ad8
;; QUESTION SECTION:
;.                              IN      DNSKEY

;; ANSWER SECTION:
;.                      170776  IN      DNSKEY  256 3 8 (
;                                               AwEAAbPwrxwtOMENWvblQbUFwBll
;                                               R7ZtXsu9rg/LdyklKs9gU2GQTeOc
;                                               59XjhuAPZ4WrT09z6YPL+vzIIJqn
;                                               G3Hiru7hFUQ4pH0qsLNxrsuZrZYm
;                                               XAKoVa9SXL1Ap0LygwrIugEk1G4v
;                                               7Rk/Alt1jLUIE+ZymGtSEhIuGQdX
;                                               rEmj3ffzXY13H42X4Ja3vJTn/WIQ
;                                               OXY7vwHXGDypSh9j0Tt0hknF1yVJ
;                                               CrIpfkhFWihMKNdMzMprD4bV+PDL
;                                               RA5YSn3OPIeUnRn9qBUCN11LXQKb
;                                               +W3Jg+m/5xQRQJzJ/qXgDh1+aN+M
;                                               c9AstP29Y/ZLFmF6cKtL2zoUMN5I
;                                               5QymeSkJJzc=
;                                               ) ; ZSK; alg = RSASHA256 ; key id = 22545
;.                      170776  IN      DNSKEY  257 3 8 (
;                                               AwEAAaz/tAm8yTn4Mfeh5eyI96WS
;                                               VexTBAvkMgJzkKTOiW1vkIbzxeF3
;                                               +/4RgWOq7HrxRixHlFlExOLAJr5e
;                                               mLvN7SWXgnLh4+B5xQlNVz8Og8kv
;                                               ArMtNROxVQuCaSnIDdD5LKyWbRd2
;                                               n9WGe2R8PzgCmr3EgVLrjyBxWezF
;                                               0jLHwVN8efS3rCj/EWgvIWgb9tar
;                                               pVUDK/b58Da+sqqls3eNbuv7pr+e
;                                               oZG+SrDK6nWeL3c6H5Apxz7LjVc1
;                                               uTIdsIXxuOLYA4/ilBmSVIzuDWfd
;                                               RUfhHdY6+cn8HFRm+2hM8AnXGXws
;                                               9555KrUB5qihylGa8subX2Nn6UwN
;                                               R1AkUTV74bU=
;                                               ) ; KSK; alg = RSASHA256 ; key id = 20326
;.                      170776  IN      RRSIG   DNSKEY 8 0 172800 (
;                                               20191121000000 20191031000000 20326 .
;                                               TrhgwZ2wM8eoVzdemdBjxrfDIh9Q
;                                               fB6P2xlnKASTcqUAWzmseM3Jpte4
;                                               P0g2tINZEur+Wkto30pfg1J/YUK9
;                                               Cofy8xz8tz5yqtDJ+qMyiZsfnxRd
;                                               vkhtPgKnQnnxm07j4VBQVS5ubwCK
;                                               4ByPa27uc/bOxpG8bETvhNXc1jjt
;                                               5+j84+G+2m7cx2IoRsSNxTORDV/p
;                                               FPRbE7Dh87H1gqkAQ9gDQ1VpVW9w
;                                               6qX93Mnh2+/cW9o8g88Nvt+F77Kd
;                                               c7fn2JDiy1XIk/wJC6Eu3uRNpGVL
;                                               HtL1APfrG4/qkfOVABx0rhPUwbTe
;                                               FmMG3YCcapHp3+JibiCjTsQZJtCz
;                                               YyRnIw== )


; fully validated
lx.weberlab.de.         60      IN      A       193.24.227.230
lx.weberlab.de.         60      IN      RRSIG   A 10 3 60 20191118181337 20191019175246 36935 weberlab.de. O6uzfPD91EkCiPPYWrfAx3Jy9gjEUT5MwRqtGEjmqv90g6OaDqooMuZY cXe8Qtf9ZFrw7NRoBgK4BQec6lN3Qvg/ul7i4iXtX60TwnDm1QbvGBeP q2U6k9hhv2nEL646x0tDYbIkz1sCPbHxYTo8ARAZG4sI6aHU8POO2SOq FFfJOuRUTuKDWoinJ5qmxm75g3ZeqGAAWhTNsi/Ws2VBNAsMIR0EAe+s hrnmOpU83p+2zhaAFYltS3OdEmvjV1C5B+ncbl1TECREQ/zgrHTdJvoP Rn2twl1OvdWDGGtE6tufU+WfzKhI7IS0r2PAAlkYBw6mN1G2yuU3CBza 5BLnZA==

+vtrace

Here we go: Tracing the validation process with many additional notes on how this process occurs. A DNSSEC signed hostname looks like this:

weberjoh@vm22-lx2:~$ delv @2001:470:765b::d034:53 lx.weberlab.de +vtrace
;; fetch: lx.weberlab.de/A
;; validating lx.weberlab.de/A: starting
;; validating lx.weberlab.de/A: attempting positive response validation
;; fetch: weberlab.de/DNSKEY
;; validating weberlab.de/DNSKEY: starting
;; validating weberlab.de/DNSKEY: attempting positive response validation
;; fetch: weberlab.de/DS
;; validating weberlab.de/DS: starting
;; validating weberlab.de/DS: attempting positive response validation
;; fetch: de/DNSKEY
;; validating de/DNSKEY: starting
;; validating de/DNSKEY: attempting positive response validation
;; fetch: de/DS
;; validating de/DS: starting
;; validating de/DS: attempting positive response validation
;; fetch: ./DNSKEY
;; validating ./DNSKEY: starting
;; validating ./DNSKEY: attempting positive response validation
;; validating ./DNSKEY: verify rdataset (keyid=20326): success
;; validating ./DNSKEY: signed by trusted key; marking as secure
;; validating de/DS: in fetch_callback_validator
;; validating de/DS: keyset with trust secure
;; validating de/DS: resuming validate
;; validating de/DS: verify rdataset (keyid=22545): success
;; validating de/DS: marking as secure, noqname proof not needed
;; validating de/DNSKEY: in dsfetched
;; validating de/DNSKEY: dsset with trust secure
;; validating de/DNSKEY: verify rdataset (keyid=39227): success
;; validating de/DNSKEY: marking as secure (DS)
;; validating weberlab.de/DS: in fetch_callback_validator
;; validating weberlab.de/DS: keyset with trust secure
;; validating weberlab.de/DS: resuming validate
;; validating weberlab.de/DS: verify rdataset (keyid=26008): success
;; validating weberlab.de/DS: marking as secure, noqname proof not needed
;; validating weberlab.de/DNSKEY: in dsfetched
;; validating weberlab.de/DNSKEY: dsset with trust secure
;; validating weberlab.de/DNSKEY: verify rdataset (keyid=13179): success
;; validating weberlab.de/DNSKEY: marking as secure (DS)
;; validating lx.weberlab.de/A: in fetch_callback_validator
;; validating lx.weberlab.de/A: keyset with trust secure
;; validating lx.weberlab.de/A: resuming validate
;; validating lx.weberlab.de/A: verify rdataset (keyid=36935): success
;; validating lx.weberlab.de/A: marking as secure, noqname proof not needed
; fully validated
lx.weberlab.de.         60      IN      A       193.24.227.230
lx.weberlab.de.         60      IN      RRSIG   A 10 3 60 20191118181337 20191019175246 36935 weberlab.de. O6uzfPD91EkCiPPYWrfAx3Jy9gjEUT5MwRqtGEjmqv90g6OaDqooMuZY cXe8Qtf9ZFrw7NRoBgK4BQec6lN3Qvg/ul7i4iXtX60TwnDm1QbvGBeP q2U6k9hhv2nEL646x0tDYbIkz1sCPbHxYTo8ARAZG4sI6aHU8POO2SOq FFfJOuRUTuKDWoinJ5qmxm75g3ZeqGAAWhTNsi/Ws2VBNAsMIR0EAe+s hrnmOpU83p+2zhaAFYltS3OdEmvjV1C5B+ncbl1TECREQ/zgrHTdJvoP Rn2twl1OvdWDGGtE6tufU+WfzKhI7IS0r2PAAlkYBw6mN1G2yuU3CBza 5BLnZA==

An unsigned hostname like this:

weberjoh@vm22-lx2:~$ delv @2001:470:765b::d034:53 heise.de +vtrace
;; fetch: heise.de/A
;; validating heise.de/A: starting
;; validating heise.de/A: attempting insecurity proof
;; validating heise.de/A: checking existence of DS at 'de'
;; fetch: de/DS
;; validating de/DS: starting
;; validating de/DS: attempting positive response validation
;; fetch: ./DNSKEY
;; validating ./DNSKEY: starting
;; validating ./DNSKEY: attempting positive response validation
;; validating ./DNSKEY: verify rdataset (keyid=20326): success
;; validating ./DNSKEY: signed by trusted key; marking as secure
;; validating de/DS: in fetch_callback_validator
;; validating de/DS: keyset with trust secure
;; validating de/DS: resuming validate
;; validating de/DS: verify rdataset (keyid=22545): success
;; validating de/DS: marking as secure, noqname proof not needed
;; validating heise.de/A: in dsfetched2: success
;; validating heise.de/A: resuming proveunsecure
;; validating heise.de/A: checking existence of DS at 'heise.de'
;; fetch: heise.de/DS
;; validating heise.de/DS: starting
;; validating heise.de/DS: attempting negative response validation
;;   validating de/SOA: starting
;;   validating de/SOA: attempting positive response validation
;; fetch: de/DNSKEY
;; validating de/DNSKEY: starting
;; validating de/DNSKEY: attempting positive response validation
;; validating de/DNSKEY: verify rdataset (keyid=39227): success
;; validating de/DNSKEY: marking as secure (DS)
;;   validating de/SOA: in fetch_callback_validator
;;   validating de/SOA: keyset with trust secure
;;   validating de/SOA: resuming validate
;;   validating de/SOA: verify rdataset (keyid=26008): success
;;   validating de/SOA: marking as secure, noqname proof not needed
;; validating heise.de/DS: in authvalidated
;; validating heise.de/DS: resuming nsecvalidate
;;   validating h319dm5gc3edek691vqbhehot7vggj2b.de/NSEC3: starting
;;   validating h319dm5gc3edek691vqbhehot7vggj2b.de/NSEC3: attempting positive response validation
;;   validating h319dm5gc3edek691vqbhehot7vggj2b.de/NSEC3: keyset with trust secure
;;   validating h319dm5gc3edek691vqbhehot7vggj2b.de/NSEC3: verify rdataset (keyid=26008): success
;;   validating h319dm5gc3edek691vqbhehot7vggj2b.de/NSEC3: marking as secure, noqname proof not needed
;; validating heise.de/DS: in authvalidated
;; validating heise.de/DS: resuming nsecvalidate
;;   validating umuntapqo13nesn6k3fa655agu3icvln.de/NSEC3: starting
;;   validating umuntapqo13nesn6k3fa655agu3icvln.de/NSEC3: attempting positive response validation
;;   validating umuntapqo13nesn6k3fa655agu3icvln.de/NSEC3: keyset with trust secure
;;   validating umuntapqo13nesn6k3fa655agu3icvln.de/NSEC3: verify rdataset (keyid=26008): success
;;   validating umuntapqo13nesn6k3fa655agu3icvln.de/NSEC3: marking as secure, noqname proof not needed
;; validating heise.de/DS: in authvalidated
;; validating heise.de/DS: resuming nsecvalidate
;; validating heise.de/DS: looking for relevant NSEC3
;; validating heise.de/DS: looking for relevant NSEC3
;; validating heise.de/DS: looking for relevant NSEC3
;; validating heise.de/DS: NSEC3 indicates potential closest encloser: 'de'
;; validating heise.de/DS: NSEC3 at super-domain de
;; validating heise.de/DS: looking for relevant NSEC3
;; validating heise.de/DS: NSEC3 proves name does not exist: 'heise.de'
;; validating heise.de/DS: NSEC3 indicates optout
;; validating heise.de/DS: in checkwildcard: *.de
;; validating heise.de/DS: looking for relevant NSEC3
;; validating heise.de/DS: NSEC3 at super-domain de
;; validating heise.de/DS: looking for relevant NSEC3
;; validating heise.de/DS: in checkwildcard: *.de
;; validating heise.de/DS: nonexistence proof(s) found
;; validating heise.de/A: in dsfetched2: ncache nxrrset
;; validating heise.de/A: marking as answer (dsfetched2)
; unsigned answer
heise.de.               3200171710 IN   A       193.99.144.80

And finally, a failure in DNSSEC:

weberjoh@vm22-lx2:~$ delv @2001:470:765b::d034:53 fail01.dnssec.works +vtrace
;; fetch: fail01.dnssec.works/A
;; resolution failed: timed out

Uh. What has happened? My recursive DNS server *does* DNSSEC validation as well, hence delve is unable to query it for falsified records. Unluckily, you can’t set the cd bit (checking disabled) for delv requests. (Why?!? This would be that useful for troubleshooting!)

Hence we must use a non-validating recursive DNS server to test with, like the second one from Quad9: 2620:fe::10 respectively 9.9.9.10.

Depending on the failure, delv gives you appropriate notes, such as “insecurity proof failed”:

weberjoh@vm22-lx2:~$ delv @2620:fe::10 fail01.dnssec.works +vtrace
;; fetch: fail01.dnssec.works/A
;; validating fail01.dnssec.works/A: starting
;; validating fail01.dnssec.works/A: attempting insecurity proof
;; validating fail01.dnssec.works/A: checking existence of DS at 'works'
;; fetch: works/DS
;; validating works/DS: starting
;; validating works/DS: attempting positive response validation
;; fetch: ./DNSKEY
;; validating ./DNSKEY: starting
;; validating ./DNSKEY: attempting positive response validation
;; validating ./DNSKEY: verify rdataset (keyid=20326): success
;; validating ./DNSKEY: signed by trusted key; marking as secure
;; validating works/DS: in fetch_callback_validator
;; validating works/DS: keyset with trust secure
;; validating works/DS: resuming validate
;; validating works/DS: verify rdataset (keyid=22545): success
;; validating works/DS: marking as secure, noqname proof not needed
;; validating fail01.dnssec.works/A: in dsfetched2: success
;; validating fail01.dnssec.works/A: resuming proveunsecure
;; validating fail01.dnssec.works/A: checking existence of DS at 'dnssec.works'
;; fetch: dnssec.works/DS
;; validating dnssec.works/DS: starting
;; validating dnssec.works/DS: attempting positive response validation
;; fetch: works/DNSKEY
;; validating works/DNSKEY: starting
;; validating works/DNSKEY: attempting positive response validation
;; validating works/DNSKEY: verify rdataset (keyid=37354): success
;; validating works/DNSKEY: marking as secure (DS)
;; validating dnssec.works/DS: in fetch_callback_validator
;; validating dnssec.works/DS: keyset with trust secure
;; validating dnssec.works/DS: resuming validate
;; validating dnssec.works/DS: verify rdataset (keyid=21105): success
;; validating dnssec.works/DS: marking as secure, noqname proof not needed
;; validating fail01.dnssec.works/A: in dsfetched2: success
;; validating fail01.dnssec.works/A: resuming proveunsecure
;; validating fail01.dnssec.works/A: checking existence of DS at 'fail01.dnssec.works'
;; fetch: fail01.dnssec.works/DS
;; validating fail01.dnssec.works/DS: starting
;; validating fail01.dnssec.works/DS: attempting positive response validation
;; fetch: dnssec.works/DNSKEY
;; validating dnssec.works/DNSKEY: starting
;; validating dnssec.works/DNSKEY: attempting positive response validation
;; validating dnssec.works/DNSKEY: verify rdataset (keyid=41779): success
;; validating dnssec.works/DNSKEY: marking as secure (DS)
;; validating fail01.dnssec.works/DS: in fetch_callback_validator
;; validating fail01.dnssec.works/DS: keyset with trust secure
;; validating fail01.dnssec.works/DS: resuming validate
;; validating fail01.dnssec.works/DS: verify rdataset (keyid=63306): success
;; validating fail01.dnssec.works/DS: marking as secure, noqname proof not needed
;; validating fail01.dnssec.works/A: in dsfetched2: success
;; validating fail01.dnssec.works/A: resuming proveunsecure
;; validating fail01.dnssec.works/A: insecurity proof failed
;; insecurity proof failed resolving 'fail01.dnssec.works/A/IN': 2620:fe::10#53
;; resolution failed: insecurity proof failed

or “RRSIG has expired”:

weberjoh@vm22-lx2:~$ delv @2620:fe::10 fail02.dnssec.works +vtrace
;; fetch: fail02.dnssec.works/A
;; validating fail02.dnssec.works/A: starting
;; validating fail02.dnssec.works/A: attempting positive response validation
;; fetch: fail02.dnssec.works/DNSKEY
;; validating fail02.dnssec.works/DNSKEY: starting
;; validating fail02.dnssec.works/DNSKEY: attempting positive response validation
;; fetch: fail02.dnssec.works/DS
;; validating fail02.dnssec.works/DS: starting
;; validating fail02.dnssec.works/DS: attempting positive response validation
;; fetch: dnssec.works/DNSKEY
;; validating dnssec.works/DNSKEY: starting
;; validating dnssec.works/DNSKEY: attempting positive response validation
;; fetch: dnssec.works/DS
;; validating dnssec.works/DS: starting
;; validating dnssec.works/DS: attempting positive response validation
;; fetch: works/DNSKEY
;; validating works/DNSKEY: starting
;; validating works/DNSKEY: attempting positive response validation
;; fetch: works/DS
;; validating works/DS: starting
;; validating works/DS: attempting positive response validation
;; fetch: ./DNSKEY
;; validating ./DNSKEY: starting
;; validating ./DNSKEY: attempting positive response validation
;; validating ./DNSKEY: verify rdataset (keyid=20326): success
;; validating ./DNSKEY: signed by trusted key; marking as secure
;; validating works/DS: in fetch_callback_validator
;; validating works/DS: keyset with trust secure
;; validating works/DS: resuming validate
;; validating works/DS: verify rdataset (keyid=22545): success
;; validating works/DS: marking as secure, noqname proof not needed
;; validating works/DNSKEY: in dsfetched
;; validating works/DNSKEY: dsset with trust secure
;; validating works/DNSKEY: verify rdataset (keyid=37354): success
;; validating works/DNSKEY: marking as secure (DS)
;; validating dnssec.works/DS: in fetch_callback_validator
;; validating dnssec.works/DS: keyset with trust secure
;; validating dnssec.works/DS: resuming validate
;; validating dnssec.works/DS: verify rdataset (keyid=21105): success
;; validating dnssec.works/DS: marking as secure, noqname proof not needed
;; validating dnssec.works/DNSKEY: in dsfetched
;; validating dnssec.works/DNSKEY: dsset with trust secure
;; validating dnssec.works/DNSKEY: verify rdataset (keyid=41779): success
;; validating dnssec.works/DNSKEY: marking as secure (DS)
;; validating fail02.dnssec.works/DS: in fetch_callback_validator
;; validating fail02.dnssec.works/DS: keyset with trust secure
;; validating fail02.dnssec.works/DS: resuming validate
;; validating fail02.dnssec.works/DS: verify rdataset (keyid=63306): success
;; validating fail02.dnssec.works/DS: marking as secure, noqname proof not needed
;; validating fail02.dnssec.works/DNSKEY: in dsfetched
;; validating fail02.dnssec.works/DNSKEY: dsset with trust secure
;; validating fail02.dnssec.works/DNSKEY: verify failed due to bad signature (keyid=2536): RRSIG has expired
;; validating fail02.dnssec.works/DNSKEY: no RRSIG matching DS key
;; validating fail02.dnssec.works/DNSKEY: no valid signature found (DS)
;; no valid RRSIG resolving 'fail02.dnssec.works/DNSKEY/IN': 2620:fe::10#53
;; validating fail02.dnssec.works/A: in fetch_callback_validator
;; validating fail02.dnssec.works/A: fetch_callback_validator: got SERVFAIL
;; broken trust chain resolving 'fail02.dnssec.works/A/IN': 2620:fe::10#53
;; resolution failed: broken trust chain

or “RRSIG failed to verify”:

weberjoh@vm22-lx2:~$ delv @2620:fe::10 fail03.dnssec.works +vtrace
;; fetch: fail03.dnssec.works/A
;; validating fail03.dnssec.works/A: starting
;; validating fail03.dnssec.works/A: attempting positive response validation
;; fetch: fail03.dnssec.works/DNSKEY
;; validating fail03.dnssec.works/DNSKEY: starting
;; validating fail03.dnssec.works/DNSKEY: attempting positive response validation
;; fetch: fail03.dnssec.works/DS
;; validating fail03.dnssec.works/DS: starting
;; validating fail03.dnssec.works/DS: attempting positive response validation
;; fetch: dnssec.works/DNSKEY
;; validating dnssec.works/DNSKEY: starting
;; validating dnssec.works/DNSKEY: attempting positive response validation
;; fetch: dnssec.works/DS
;; validating dnssec.works/DS: starting
;; validating dnssec.works/DS: attempting positive response validation
;; fetch: works/DNSKEY
;; validating works/DNSKEY: starting
;; validating works/DNSKEY: attempting positive response validation
;; fetch: works/DS
;; validating works/DS: starting
;; validating works/DS: attempting positive response validation
;; fetch: ./DNSKEY
;; validating ./DNSKEY: starting
;; validating ./DNSKEY: attempting positive response validation
;; validating ./DNSKEY: verify rdataset (keyid=20326): success
;; validating ./DNSKEY: signed by trusted key; marking as secure
;; validating works/DS: in fetch_callback_validator
;; validating works/DS: keyset with trust secure
;; validating works/DS: resuming validate
;; validating works/DS: verify rdataset (keyid=22545): success
;; validating works/DS: marking as secure, noqname proof not needed
;; validating works/DNSKEY: in dsfetched
;; validating works/DNSKEY: dsset with trust secure
;; validating works/DNSKEY: verify rdataset (keyid=37354): success
;; validating works/DNSKEY: marking as secure (DS)
;; validating dnssec.works/DS: in fetch_callback_validator
;; validating dnssec.works/DS: keyset with trust secure
;; validating dnssec.works/DS: resuming validate
;; validating dnssec.works/DS: verify rdataset (keyid=21105): success
;; validating dnssec.works/DS: marking as secure, noqname proof not needed
;; validating dnssec.works/DNSKEY: in dsfetched
;; validating dnssec.works/DNSKEY: dsset with trust secure
;; validating dnssec.works/DNSKEY: verify rdataset (keyid=41779): success
;; validating dnssec.works/DNSKEY: marking as secure (DS)
;; validating fail03.dnssec.works/DS: in fetch_callback_validator
;; validating fail03.dnssec.works/DS: keyset with trust secure
;; validating fail03.dnssec.works/DS: resuming validate
;; validating fail03.dnssec.works/DS: verify rdataset (keyid=63306): success
;; validating fail03.dnssec.works/DS: marking as secure, noqname proof not needed
;; validating fail03.dnssec.works/DNSKEY: in dsfetched
;; validating fail03.dnssec.works/DNSKEY: dsset with trust secure
;; validating fail03.dnssec.works/DNSKEY: verify rdataset (keyid=4699): success
;; validating fail03.dnssec.works/DNSKEY: marking as secure (DS)
;; validating fail03.dnssec.works/A: in fetch_callback_validator
;; validating fail03.dnssec.works/A: keyset with trust secure
;; validating fail03.dnssec.works/A: resuming validate
;; validating fail03.dnssec.works/A: verify rdataset (keyid=8628): RRSIG failed to verify
;; validating fail03.dnssec.works/A: failed to verify rdataset
;; validating fail03.dnssec.works/A: verify failure: success
;; validating fail03.dnssec.works/A: no valid signature found
;; RRSIG failed to verify resolving 'fail03.dnssec.works/A/IN': 2620:fe::10#53
;; resolution failed: RRSIG failed to verify

Thanks to Carsten Strotmann for his great DNSSEC test hostnames at dnssec.works!

Happy DNSSECing. ;) And merry Christmas. Christ is born <- that’s what Christmas is all about!


Viewing all articles
Browse latest Browse all 253

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>