troubleshooting dnssec

If you’re looking for DNSSEC troubleshooting tools, Carsten Strotmann’s article Delve deep into DNSSEC presents a new cli tool that will be available in BIND 9.10 called delv.

delv works very much like the already know dig. It is like dig with special DNSSEC validation powers. delv checks the DNSSEC validation chain using the same code that is used by the BIND 9 DNS server itself.

But keep in mind that delv, as any standard unix tool, will use the resolvers in /etc/resolv.conf to perform all lookups. If all your resolvers listed are DNSSEC validating, delv will not be able to lookup a non-dnssec validating RR, and will not help you debug the problem.

[stsimb@jumbo ~]$ delv www.spbet.eu. +multi +rtrace
 ;; fetch: www.spbet.eu/A
 ;; resolution failed: failure

You need to have access to some non-DNSSEC validating resolver, to kick start the trace..

[stsimb@jumbo ~]$ delv www.spbet.eu. @4.2.2.1 +multi +rtrace
 ;; fetch: www.spbet.eu/A
 ;; fetch: eu/DS
 ;; fetch: ./DNSKEY
 ;; fetch: spbet.eu/DS
 ;; fetch: eu/DNSKEY
 ;; fetch: eu/DS
 ;; fetch: ./DNSKEY
 ;; fetch: www.spbet.eu/DS
 ;; fetch: eu/DS
 ;; fetch: ./DNSKEY
 ;; fetch: spbet.eu/DS
 ;; fetch: eu/DNSKEY
 ;; fetch: eu/DS
 ;; fetch: ./DNSKEY
 ;; no valid RRSIG resolving 'www.spbet.eu/DS/IN': 4.2.2.1#53
 ;; no valid DS resolving 'www.spbet.eu/A/IN': 4.2.2.1#53
 ;; resolution failed: no valid DS

Personally I don’t consider this a bug. It’s expected behaviour, a unix tool to use the resolvers in /etc/resolv.conf for resolution.

delv cannot determine for sure if it’s your resolver’s fault, and then try another one (and if it did, which one should it choose?). It’s your job to have this in mind, and ask some other non-dncsec validating resolver that you have access to.

Nevertheless, this situation may come up many times. Troubleshooting broken trust chains is one of the reasons someone will use delv, and gives you a reason to keep a non dnssec-validating resolver available somewhere.

Update: Thanks to Peter van Dijk‘s tweet I discovered that +cdflag works in delv (although it’s not listed in delv -h).

follow me on twitter

RT @hsoc: Merry Christmas @hellasdirect 🎅🎄 https://t.co/V7xxbjw9YS 1 year ago

RT @bad_packets: It's not DNS There's no way it's DNS It was DNS twitter.com/BleepinCompute… 1 year ago

RT @PowerDNS_Bert: Dear EU: Cyber security is important, but please don’t #RuinTheRoot by regulating the non-essential entities that run th… 1 year ago

RT @_argp: BugTraq Shutdown, end of an era: "At this time, resources for the BugTraq mailing list have not been prioritized, and this will… 2 years ago

RT @jpmens: IT WASN’T DNS twitter.com/atoonk/status/… 2 years ago

RT @fanf: “For the first time, nginx is in use by more web-facing computers than any other web server, including Apache” https://t.co/rscQy… 2 years ago

RT @skaragiannis: In case you missed it https://t.co/X3FUqYZYqZ 2 years ago

RT @QuinnyPig: The best part about this question is that (aside from the third answer's "single digit millisecond latency") I can make it d… 3 years ago

RT @ripencc: Today, at 15:35, we made our final /22 IPv4 allocation from the last remaining addresses in our available pool. We have now ru… 3 years ago

RT @hellasdirect: Sotiris Tsimbonis, our infrastructure and automation lead, has been with us from day 1. Today, we are proud to see him ex… 3 years ago

Follow @stsimb

Linux Weekly News

X.org vulnerability and releases

The X.Org project has announced a vulnerability in its X server and Xwayland (CVE-2023-1393). This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions. [...] If a client explicitly destroys the compositor overlay window (aka COW), the Xserver would leave a da […]

jake

[$] The trouble with MODULE_LICENSE() in non-modules

The kernel's hierarchical maintainer model works quite well from the standpoint of allowing thousands of developers to work together without (often) stepping on each others' toes. But that model can also make life painful for developers who are trying to make changes across numerous subsystems. Other possible source of pain include changes related […]

corbet

Stable kernels 6.2.9, 6.1.22, 5.15.105, and 5.4.239

Greg Kroah-Hartman has announced the release of the 6.2.9, 6.1.22, 5.15.105, and 5.4.239 stable kernels. The latter (5.4.239) has single patch to fix the permissions of a selftest file, while the other three have a lengthy list of important fixes throughout the kernel tree.

jake

Security updates for Thursday

Security updates have been issued by Debian (xorg-server and xrdp), Fedora (mingw-python-certifi, mingw-python3, mingw-zstd, moodle, python-cairosvg, python-markdown-it-py, redis, xorg-x11-server, and yarnpkg), Slackware (mozilla and xorg), SUSE (grub2, ldb, samba, libmicrohttpd, python-Werkzeug, rubygem-rack, samba, sudo, testng, tomcat, webkit2gtk3, xorg-x […]

jake

[$] LWN.net Weekly Edition for March 30, 2023

The LWN.net Weekly Edition for March 30, 2023 is available.

corbet

[$] Rebecca Giblin on chokepoint capitalism

The fourth and final keynote for Everything Open 2023 was given by Professor Rebecca Giblin of the Melbourne Law School, University of Melbourne. It revolved around her recent book, Chokepoint Capitalism, which she wrote with Cory Doctorow; it is "a book about why creative labor markets are rigged — and how to unrig them". Giblin had planned to be […]

jake

[$] OpenSUSE MicroOS Desktop: a Flatpak-based immutable distribution

Immutable Linux distributions are on the rise recently, with multiple popular distributions creating their own immutable versions; it could be one of the trends of 2023, as predicted. While many of these immutable distributions are focused on server use, there are also some that offer a desktop experience. OpenSUSE MicroOS Desktop is one of them, with a mini […]

jake

Stenberg: Pre-notification dilemmas

Curl maintainer Daniel Stenberg expresses some frustrations with the vulnerability notification policies maintained by the distros mailing list. The week before we were about to ship the curl 8.0.0 release, I emailed the distros mailing list again like I have done so many times before and told them about the upcoming six(!) vulnerabilities we were about to r […]

corbet

Security updates for Wednesday

Security updates have been issued by Debian (unbound and xorg-server), Fedora (stellarium), Oracle (kernel), SUSE (apache2, oracleasm, python-Werkzeug, rubygem-loofah, sudo, and tomcat), and Ubuntu (git, kernel, and linux-hwe-5.19).

corbet

[$] Ubuntu stops shipping Flatpak by default

Canonical recently announced that it will no longer ship Flatpak as part of its default installation for the various official Ubuntu flavors, which is in keeping with the practices of the core Ubuntu distribution. The Flatpak package format has gained popularity among Linux users for its convenience and ease of use. Canonical will focus exclusively on its ow […]

jake

Σχολιάστε Ακύρωση απάντησης

Γράψτε το σχόλιο σας εδώ....

Εισάγετε τα παρακάτω στοιχεία ή επιλέξτε ένα εικονίδιο για να συνδεθείτε:

Ηλ. διεύθυνση (απαιτείται) Δεν θα εμφανιστεί δημόσια.

Όνομα (απαιτείται)

Ιστότοπος

Σχολιάζετε χρησιμοποιώντας τον λογαριασμό WordPress.com. ( Αποσύνδεση / Αλλαγή )

Σχολιάζετε χρησιμοποιώντας τον λογαριασμό Twitter. ( Αποσύνδεση / Αλλαγή )

Σχολιάζετε χρησιμοποιώντας τον λογαριασμό Facebook. ( Αποσύνδεση / Αλλαγή )

Ακύρωση

Σύνδεση με %s

	Michail στη Ελληνικά ή Αγγλικά;
	adamo στη Ελληνικά ή Αγγλικά;
	Michail στη Ελληνικά ή Αγγλικά;
	Michail στη Ελληνικά ή Αγγλικά;
	cvi going distribute… στη version control for important…
	bilias στη It’s a girl!
	Sotiris Tsimbonis στη It’s a girl!
	kioan στη It’s a girl!
	kzorba στη It’s a girl!
	Sotiris Tsimbonis στη It’s a girl!

Share this:

Μου αρέσει αυτό:

Σχετικά

Σχολιάστε Ακύρωση απάντησης