trust anchor

trust anchor. (Photo credit: Wikipedia)

you need a trust anchor. it should be provided in a file named trusted-key.key but in my debian locate trusted-key returns an empty answer. the /etc/bind/bind.keys seems to hold some trust anchors, but I donnot understand how it should be used. anyway, you can request the root dnskey and put theme in the file called trusted-key.key .

dig +nocomments +nostats +nocmd +noquestion -t dnskey . >> /etc/trusted-key.key
just verify the keyx are OK. mine looks like:
.                       171512  IN      DNSKEY  257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
.                       171512  IN      DNSKEY  256 3 8 AwEAAZvJd8ORk+jmZ41QMYbQ1XCpf60l6YJuHtnxn0VSh5a5vqwEjTST 3/PZ4xhUFu2YcTfRNWxs9WTiGZl3MY/UlBIvzpLhKgKnf9Vk8sEU3q0n mOGFgE6jTi/cU95ATU/2dTQovMDv9XyWvrmj8KIG2brj6mF4S8GTae6G 2GwbMF5v

The TTL (2nd field) does not matter, but the rest must be the same.

verification chain

the +sigchase option of dig is correctly done and work as follow:

1. fetch all needed material (dnskey, ds, and rrsig RR )
2. perform validation (check the validity dnskey->[ds->dnskey]+->rr)

To test, I decided to fetch the MX record for www.example.com. I cut the output, there are many uninterresting stuff:

$ dig +sigchase mx www.example.com
;; NO ANSWERS: no more
We want to prove the non-existence of a type of rdata 15 or of the zone:
We have a NSEC for this zone :OK
OK the NSEC said that the type doesn't exist
prove_nx: OK type does not exist
;; An NSEC prove the non-existence of a answers, Now we want validate this NSEC
[...]
Launch query to find RRset of type [...]
[...]
;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; VERIFYING NSEC RRset for www.example.com. with DNSKEY:6439: success
;; OK We found DNSKEY (or more) to validate the RRset
;; Now, we are going to validate this DNSKEY by the DS
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for example.com. with DNSKEY:31589: success
;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, thus the DNSKEY validates the RRset
;; Now, we want to validate the DS :  recursive call
[...]
;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; VERIFYING DS RRset for com. with DNSKEY:40926: success
;; OK We found DNSKEY (or more) to validate the RRset
;; Ok, find a Trusted Key in the DNSKEY RRset: 40926
;; Ok, find a Trusted Key in the DNSKEY RRset: 19036
;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success

;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS

for testing purpose, you can try a existent and correctly signed RR and a RR whose validation failed:

dig +sigchase A www.example.com
dig +sigchase A www.dnssec-failed.org

(Non-)Related articles

• .biz DNSSEC DNSKEY is Invalid, (Sat, Jun 22nd)
• "Automating DNSSEC Delegation Trust Maintenance" – Warren Kumari, Olafur Gudmundsson, George Barwood (Internet Drafts)