To:
dnssec@cafax.se
From:
Alexis Yushin <alexis@nlnetlabs.nl>
Date:
Tue, 31 Jul 2001 18:34:46 +0200 (CEST)
Delivery-Date:
Tue Jul 31 18:39:32 2001
Reply-To:
alexis@nlnetlabs.nl
Sender:
owner-dnssec@cafax.se
Subject:
dig +sigchase
Hi,
We're just finshed with an ALPHA version of modifications to dig(1)
from bind-9.2.0b1 distribution. The modified version of dig(1) when
used with an option +sigchase will recursively trace the signatures
and the keys it discovers along the chain of trust upto the point
it encounters a self signed key or key that is not signed or a bad
signature. See README below for details.
If you're interested in this tool please check:
http://www.nlnetlabs.nl/downloads/dig-9.2.0b1-nlnetlabs-alpha1.tar.gz
I would like to stress out that it is just a debugging tool for
dns sec and not a secure aware resolver of any kind.
Regards,
Alexis
$Id: README.nlnetlabs,v 1.2 2001/07/31 13:30:25 alexis Exp $
This is a modified version of dig(1) and host(1) programms
that come together with bind version 9.2.0b1 however it is
first ALPHA version of these modifications.
The source distribution is available at
http://www.nlnetlabs.nl/downloads/dig-9.2.0b1-nlnetlabs-alpha1.tar.gz
At the present moment the modifications are made as-is without
any support, proper documentation or guarantee of suitability
for any particular purpose.
A new option that is added to dig(1) is +sigchase and a
similar -s option is added to host(1). When using +sigchase
or -s with any regual dns query the dig(1) or host(1) will
try to verify SIG records that belong to the record set in
questing and further will try to verify them recursively
for all the keys that form the chain of trust all the way up
to any self signed or not signed key.
Please realize this is merely a debugging tool and not a
secure aware resolved by any means.
With that in mind:
- please keep in mind it is ALPHA software. do not rely on
it for any production purpose. if you believe it malfunctions
please give me your feedback at <alexis@nlnetlabs.nl> if
possible together with the patches that would fix the problem
to your opinion
- the signature chaser uses completely different code than validator()
class of the bind. it does use however the dst and dnssec library
calls. my goal was not to validate certain record sets but to chase
a (number of) lines of trust. might be also good to be able to check
my code results against the decisions of validator() it also means
i completely ignore nxt records
- ok dig and host will not make any decisions about what's secure or
not, only showing where the chain ends and where it breaks and why it
breaks.
- the signature chaser at the moment only looks at the ANSWER section
of the dns response ignoring AUTHORITY and ADDITIONAL sections altogether
with any options and bits set
TODO
- having said that the code only follows one line of trust, meaning
that the moment one key/signature combination verified, it will
go on with chasing that line. it probably would be nice to make
a mode where the tool would build a whole tree of all possible
lines of trust and make something like this on its output
a open.nlnetlabs.nl
|
+- nlnetlabs.nl id 56721
| |
| +- .nl id 12534
| | |
| | +-- . id 17829 ROOT OF TRUST
| |
| +- .nl id 10278 EXPIRED!!!
|
+- nlnetlabs.nl id 34596 BAD SIG!!!
EXAMPLES
dig +sigchase a www.nlnetlabs.nl.nl @secnl.nlnetlabs.nl
dig +dnssec +sigchase a www.nlnetlabs.nl.nl @secnl.nlnetlabs.nl
host -s -t key nlnetlabs.nl.nl