Ubuntu
bind9 package

dig does not have a default trusted key

Bug #1406729 reported by Anand Kumria
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
Confirmed
Wishlist
Unassigned

Bug Description

dig, as supplied, will not validate a DNSSEC domain.

The +sigchase option should cause validation to occur but it does not.

As noted in http://bryars.eu/2010/08/validating-and-exploring-dnssec-with-dig/ if a file called 'trusted-key.key' is present then dig will use that.

By default dig will look in /etc/trusted-key.key and then the current directory.

By supplying the file /etc/trusted-key.key, dig's signature checking will work out of the box.

Thanks,
Anand

Revision history for this message
Andreas Olsson (andol) wrote :

I can confirm this for Vivid's 9.9.5.dfsg-6ubuntu1 package.

Not convinced either way in regards to whatever Ubuntu should distribute a /etc/trusted-key.key file.
(Not my call either.)

Changed in bind9 (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
Revision history for this message
Anand Kumria (wildfire) wrote :

Considering that the 'bind9' package ships the root key (in /etc/bind/bind.keys), I see no reason why it should not also be shipped in the dnsutils package as well.

Revision history for this message
Charles Peters II (cp) wrote :

I vote no, if someone is setting up or testing DNSSEC, let's not encourage them to use a broken dig option!

I tried using the following command and dig core dumped. Note: www is setup as a CNAME.
dig +trusted-key=trusted-key.key +topdown +sigchase +multiline -ta www.tuxedo.net

I was wondering if I had done something wrong with DNSSEC... But other tools show (I think) it looks ok.
drill -TD -k ../trusted-key.key www.tuxedo.net # See footnote 1
http://dnsviz.net/d/www.tuxedo.net/dnssec/

And some more digging and I found:
The option is not compiled in by default upstream because it is broken.

See:
https://lists.isc.org/pipermail/bind-users/2012-May/087779.html
https://lists.isc.org/pipermail/bind-users/2012-May/087781.html

dig +trusted-key=trusted-key.key +topdown +sigchase +multiline -ta com
...
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for com. with DNSKEY:30909: success

;; We are in a Grand Father Problem: See 2.2.1 in RFC 3568

;; ERROR : com. is not a subdomain of: com. FAILED

name.c:2151: REQUIRE(source->length > 0) failed, back trace
#0 0x7f1a1cda5954 in ??
#1 0x7f1a1cda58ba in ??
#2 0x7f1a1d4a7bdc in ??
#3 0x7f1a1dc45f72 in ??
#4 0x7f1a1dc48397 in ??
#5 0x7f1a1dc4a3d2 in ??
#6 0x7f1a1cdc7af6 in ??
#7 0x7f1a1cb80182 in ??
#8 0x7f1a1c8acefd in ??
Aborted (core dumped)

I also compiled bind-9.9.6-P1 to test if it was fixed in a newer release, and it is still broken.

Footnote 1:
Note drill is currently part of ldnsutils package and not unbound. https://www.nlnetlabs.nl/projects/drill/

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.