Ubuntu
bind9 package

  1. Bug #1406729
  2. Comment #3

Comment 3 for bug 1406729

Revision history for this message
Charles Peters II (cp) wrote :

I vote no, if someone is setting up or testing DNSSEC, let's not encourage them to use a broken dig option!

I tried using the following command and dig core dumped. Note: www is setup as a CNAME.
dig +trusted-key=trusted-key.key +topdown +sigchase +multiline -ta www.tuxedo.net

I was wondering if I had done something wrong with DNSSEC... But other tools show (I think) it looks ok.
drill -TD -k ../trusted-key.key www.tuxedo.net # See footnote 1
http://dnsviz.net/d/www.tuxedo.net/dnssec/

And some more digging and I found:
The option is not compiled in by default upstream because it is broken.

See:
https://lists.isc.org/pipermail/bind-users/2012-May/087779.html
https://lists.isc.org/pipermail/bind-users/2012-May/087781.html

dig +trusted-key=trusted-key.key +topdown +sigchase +multiline -ta com
...
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for com. with DNSKEY:30909: success

;; We are in a Grand Father Problem: See 2.2.1 in RFC 3568

;; ERROR : com. is not a subdomain of: com. FAILED

name.c:2151: REQUIRE(source->length > 0) failed, back trace
#0 0x7f1a1cda5954 in ??
#1 0x7f1a1cda58ba in ??
#2 0x7f1a1d4a7bdc in ??
#3 0x7f1a1dc45f72 in ??
#4 0x7f1a1dc48397 in ??
#5 0x7f1a1dc4a3d2 in ??
#6 0x7f1a1cdc7af6 in ??
#7 0x7f1a1cb80182 in ??
#8 0x7f1a1c8acefd in ??
Aborted (core dumped)

I also compiled bind-9.9.6-P1 to test if it was fixed in a newer release, and it is still broken.

Footnote 1:
Note drill is currently part of ldnsutils package and not unbound. https://www.nlnetlabs.nl/projects/drill/