DNSSEC mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
To: dnssec@cafax.se
From: Olivier Courtay <olivier.courtay@irisa.fr>
Date: Mon, 27 Jan 2003 11:19:27 +0100
Sender: owner-dnssec@cafax.se
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021130
Subject: Dig patch for DNSsec
Hello,

I work for the french IDsA project (see http://www.idsa.prd.fr)

and I have written a patch for dig (included in the bind-9.3.0s20021115 source).

This patch attempts to permit the verification of DNSsec chain of trust.
It validates signature of RRset and follow the KEY and DS chain.

This patch is inspired by the NlNetlabs patch.
(available at http://www.nlnetlabs.nl/downloads/dig-9.2.0b2-nlnetlabs-0.1.tar.gz).

You can get patch from :
ftp://ftp.irisa.fr/local/idsa/code/dig-sigchase/dig-9.3.0s20021115-idsa-0.5.patch.gz


COURTAY Olivier
Research engineer
IDsA project (http://idsa.irisa.fr)
ENST-Bretagne
France





-------------------------------------------------------------------------------------------
Example of execution trace.
127.0.0.1 is a recurse bind server (bind-9.3.0s20021115).

fr NS RRset is verified by its SIG(NS) RRset.
fr KEY RRset is verified by the fr DS RRset.
fr DS RRset is verified by the . KEY RRset.
and a KEY in the . KEY Rset is a trusted-key.

# ./dig @127.0.0.1 fr ns +dnssec +sigchase

; <<>> DiG 9.3.0s20021115 <<>> @127.0.0.1 fr ns +dnssec +sigchase
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33485
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 5
.......
;; QUESTION SECTION:
;fr.                            IN      NS

;; ANSWER SECTION:
fr.                     63701   IN      NS      ns2.dnssec.nic.fr.
fr.                     63701   IN      NS      ns1.dnssec.nic.fr.
fr.                     63701   IN      SIG     NS 5 1 172800 20030125220040 20030122190040 6191 fr. WXNomBwqGEcDlPrX+vPOGDAi3abAkkrsiEufS3XnLcH0SdxTp2AFf42G J8dd6cwUQfRl9oplvT9rYDZT/dT39N4o5rRvDQkUHDYWwe3LoEbt27de ypld/t1Wweih6ZM7Jv3VZiSrjPOOzgn0NvBJPQ36MwojH2HDHDEnn3s2 pfw=
........


;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42558
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5
........
;; QUESTION SECTION:
;fr.                            IN      DS

;; ANSWER SECTION:
fr.                     63471   IN      DS      59270 5 1 03CB598AEDE9B6241056595ED380B6C22539F37B
fr.                     63471   IN      SIG     DS 5 1 86400 20030201211319 20030102211319 11717 . Rr2VMJER5A1/1hiU+83mwJ49xwjJdAG1DV72v81LD0ghEKLHGehpFL5/ IS6j60hBYufWweOSGTKdGkOPLDZDi9KJolP//Q5OkpyTGF3ulOl4kal6 9MJR8h5dtUY1rsfKayCV1z01bG3NXrM6TBko672bvPClnreh3L0lSCY+ XnQ=
........



;;   BEGIN SIGCHASE
;; VERIFYING fr. type 2 with KEY:6191: success
;; OK We found one KEY (or more) for validate the RDATA
;; Now, we are going to validate this KEY by the DS
;; OK a DS valid a KEY in the RRset
;; Now verify that this KEY valid the KEY RRset
;; VERIFYING fr. type 25 with KEY:59270: success
;; OK this KEY (valited by the DS) valid the RRset of the KEYs, thought the KEY that validated the RRset
;; Now, we want to validate the DS :  recursive call
;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jan 24 17:26:12 2003
;; MSG SIZE  rcvd: 1307

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24162
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 5
....................
;; QUESTION SECTION:
;.                              IN      KEY

;; ANSWER SECTION:
.                       419546  IN      KEY     256 3 5 AQOv87UkgmpBanCsLUS9Y0zVhXqngdePymbk1JEQWLXSJVmfu7+e4vGV jgG4mm25LodZjoKD4yep2bZZGEX6Fb2XKBeAZX7OmcKr/3L14Nf5hUj4 cmKIXdvRelu6AzFJrrndnGRvtvQ4H5Dd8hR+JlhsCNt/Q3i1LnMQWLwq I8TXXQ==
.                       419546  IN      SIG     KEY 5 0 518400 20030108183713 20021209183713 11717 . Vg9hke1tsgiURAPm30g5EVpz2Mo+MtrsYF11hLkUp8xRf7pnQxEaqf88 ZHlci+iWI3YgVH+oEQWeK8evSXRg/saBMQmHdcdVOWc0J4rDY3yansJQ eaDMrt7E1ImymGGaZCbIBg+D/CKxqDkLWq9D7H+C+rXVZpTXmcym4318 r4g=
..................

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jan 24 17:26:12 2003
;; MSG SIZE  rcvd: 668

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21830
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;.                              IN      DS
........................
;; NO ANSWERS: no more



;;   BEGIN SIGCHASE
;; VERIFYING fr. type 43 with KEY:11717: success
;; TRUSTED KEYS : DNSSEC VERIFICATION OK
;; Query time: 314 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jan 24 17:26:13 2003
;; MSG SIZE  rcvd: 422


<ftp://ftp.irisa.fr/local/idsa/code/dig-sigchase/dig-9.3.0s20021115-idsa-0.5.patch.gz>
Prev by Date: New perl tool
Prev by thread: New perl tool
Index(es):
- Date
- Thread
Home | Date list | Subject list