To:
dnssec@cafax.se
From:
Alexis Yushin <alexis@nlnetlabs.nl>
Date:
Tue, 31 Jul 2001 18:34:46 +0200 (CEST)
Delivery-Date:
Tue Jul 31 18:39:32 2001
Reply-To:
alexis@nlnetlabs.nl
Sender:
owner-dnssec@cafax.se
Subject:
dig +sigchase
Hi, We're just finshed with an ALPHA version of modifications to dig(1) from bind-9.2.0b1 distribution. The modified version of dig(1) when used with an option +sigchase will recursively trace the signatures and the keys it discovers along the chain of trust upto the point it encounters a self signed key or key that is not signed or a bad signature. See README below for details. If you're interested in this tool please check: http://www.nlnetlabs.nl/downloads/dig-9.2.0b1-nlnetlabs-alpha1.tar.gz I would like to stress out that it is just a debugging tool for dns sec and not a secure aware resolver of any kind. Regards, Alexis $Id: README.nlnetlabs,v 1.2 2001/07/31 13:30:25 alexis Exp $ This is a modified version of dig(1) and host(1) programms that come together with bind version 9.2.0b1 however it is first ALPHA version of these modifications. The source distribution is available at http://www.nlnetlabs.nl/downloads/dig-9.2.0b1-nlnetlabs-alpha1.tar.gz At the present moment the modifications are made as-is without any support, proper documentation or guarantee of suitability for any particular purpose. A new option that is added to dig(1) is +sigchase and a similar -s option is added to host(1). When using +sigchase or -s with any regual dns query the dig(1) or host(1) will try to verify SIG records that belong to the record set in questing and further will try to verify them recursively for all the keys that form the chain of trust all the way up to any self signed or not signed key. Please realize this is merely a debugging tool and not a secure aware resolved by any means. With that in mind: - please keep in mind it is ALPHA software. do not rely on it for any production purpose. if you believe it malfunctions please give me your feedback at <alexis@nlnetlabs.nl> if possible together with the patches that would fix the problem to your opinion - the signature chaser uses completely different code than validator() class of the bind. it does use however the dst and dnssec library calls. my goal was not to validate certain record sets but to chase a (number of) lines of trust. might be also good to be able to check my code results against the decisions of validator() it also means i completely ignore nxt records - ok dig and host will not make any decisions about what's secure or not, only showing where the chain ends and where it breaks and why it breaks. - the signature chaser at the moment only looks at the ANSWER section of the dns response ignoring AUTHORITY and ADDITIONAL sections altogether with any options and bits set TODO - having said that the code only follows one line of trust, meaning that the moment one key/signature combination verified, it will go on with chasing that line. it probably would be nice to make a mode where the tool would build a whole tree of all possible lines of trust and make something like this on its output a open.nlnetlabs.nl | +- nlnetlabs.nl id 56721 | | | +- .nl id 12534 | | | | | +-- . id 17829 ROOT OF TRUST | | | +- .nl id 10278 EXPIRED!!! | +- nlnetlabs.nl id 34596 BAD SIG!!! EXAMPLES dig +sigchase a www.nlnetlabs.nl.nl @secnl.nlnetlabs.nl dig +dnssec +sigchase a www.nlnetlabs.nl.nl @secnl.nlnetlabs.nl host -s -t key nlnetlabs.nl.nl