I vote no, if someone is setting up or testing DNSSEC, let's not encourage them to use a broken dig option!
I tried using the following command and dig core dumped. Note: www is setup as a CNAME.
dig +trusted-key=trusted-key.key +topdown +sigchase +multiline -ta www.tuxedo.net
I was wondering if I had done something wrong with DNSSEC... But other tools show (I think) it looks ok.
drill -TD -k ../trusted-key.key www.tuxedo.net # See footnote 1 http://dnsviz.net/d/www.tuxedo.net/dnssec/
And some more digging and I found:
The option is not compiled in by default upstream because it is broken.
dig +trusted-key=trusted-key.key +topdown +sigchase +multiline -ta com
...
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for com. with DNSKEY:30909: success
;; We are in a Grand Father Problem: See 2.2.1 in RFC 3568
;; ERROR : com. is not a subdomain of: com. FAILED
name.c:2151: REQUIRE(source->length > 0) failed, back trace
#0 0x7f1a1cda5954 in ??
#1 0x7f1a1cda58ba in ??
#2 0x7f1a1d4a7bdc in ??
#3 0x7f1a1dc45f72 in ??
#4 0x7f1a1dc48397 in ??
#5 0x7f1a1dc4a3d2 in ??
#6 0x7f1a1cdc7af6 in ??
#7 0x7f1a1cb80182 in ??
#8 0x7f1a1c8acefd in ??
Aborted (core dumped)
I also compiled bind-9.9.6-P1 to test if it was fixed in a newer release, and it is still broken.
I vote no, if someone is setting up or testing DNSSEC, let's not encourage them to use a broken dig option!
I tried using the following command and dig core dumped. Note: www is setup as a CNAME. key=trusted- key.key +topdown +sigchase +multiline -ta www.tuxedo.net
dig +trusted-
I was wondering if I had done something wrong with DNSSEC... But other tools show (I think) it looks ok. dnsviz. net/d/www. tuxedo. net/dnssec/
drill -TD -k ../trusted-key.key www.tuxedo.net # See footnote 1
http://
And some more digging and I found:
The option is not compiled in by default upstream because it is broken.
See: /lists. isc.org/ pipermail/ bind-users/ 2012-May/ 087779. html /lists. isc.org/ pipermail/ bind-users/ 2012-May/ 087781. html
https:/
https:/
dig +trusted- key=trusted- key.key +topdown +sigchase +multiline -ta com
...
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for com. with DNSKEY:30909: success
;; We are in a Grand Father Problem: See 2.2.1 in RFC 3568
;; ERROR : com. is not a subdomain of: com. FAILED
name.c:2151: REQUIRE( source- >length > 0) failed, back trace
#0 0x7f1a1cda5954 in ??
#1 0x7f1a1cda58ba in ??
#2 0x7f1a1d4a7bdc in ??
#3 0x7f1a1dc45f72 in ??
#4 0x7f1a1dc48397 in ??
#5 0x7f1a1dc4a3d2 in ??
#6 0x7f1a1cdc7af6 in ??
#7 0x7f1a1cb80182 in ??
#8 0x7f1a1c8acefd in ??
Aborted (core dumped)
I also compiled bind-9.9.6-P1 to test if it was fixed in a newer release, and it is still broken.
Footnote 1: /www.nlnetlabs. nl/projects/ drill/
Note drill is currently part of ldnsutils package and not unbound. https:/